SamsungElectronicsCo.,Ltd.Samsung
GalaxyDeviceson Android9
(MDFPP31/WLANCEP10/VPNC21)Security
Target
Version: 0.4
2019/07/19
Prepared for:
Samsung Electronics Co., Ltd.
416 Maetan-3dong,Yeongtong-gu,Suwon-si,Gyeonggi-do,443-742 Korea
Prepared By:
www.gossamersec.com
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
2 of 87
Table of Contents
1 Security Target Introduction.......................................................................................................4
1.1 Security Target Reference ....................................................................................................5
1.2 TOE Reference.....................................................................................................................6
1.3 TOE Overview......................................................................................................................6
1.4 TOE Description...................................................................................................................6
1.4.1 TOE Architecture..........................................................................................................8
1.4.2 TOE Documentation....................................................................................................11
2 Conformance Claims.................................................................................................................12
2.1 Conformance Rationale......................................................................................................13
3 Security Objectives...................................................................................................................14
3.1 Security Objectives for the Operational Environment...........................................................14
4 Extended Components Definition..............................................................................................15
5 Security Requirements..............................................................................................................18
5.1 TOE Security Functional Requirements................................................................................18
5.1.1 Security Audit(FAU)....................................................................................................21
5.1.2 Cryptographic Support (FCS)........................................................................................22
5.1.3 User Data Protection (FDP)..........................................................................................31
5.1.4 Identification and Authentication(FIA) ........................................................................33
5.1.5 Security Management (FMT).......................................................................................39
5.1.6 Protection of the TSF (FPT)..........................................................................................46
5.1.7 TOE Access (FTA)........................................................................................................49
5.1.8 Trusted Path/Channels (FTP).......................................................................................50
5.2 TOE Security Assurance Requirements................................................................................50
5.2.1 Development(ADV)....................................................................................................51
5.2.2 Guidance Documents(AGD)........................................................................................51
5.2.3 Life-cycle Support (ALC) ..............................................................................................52
5.2.4 Tests (ATE).................................................................................................................53
5.2.5 Vulnerability Assessment(AVA)...................................................................................54
6 TOE Summary Specification......................................................................................................55
6.1 Security Audit....................................................................................................................55
6.2 Cryptographic Support.......................................................................................................57
6.3 User Data Protection..........................................................................................................67
6.4 Identification and Authentication .......................................................................................71
6.5 Security Management........................................................................................................78
6.6 Protection of the TSF..........................................................................................................79
6.7 TOE Access........................................................................................................................83
6.8 Trusted Path/Channels.......................................................................................................84
6.9 Knox Workspace Container Functionality ............................................................................84
7 TSF Inventory...........................................................................................................................86
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
3 of 87
List of Tables
Table 1 - Glossary ...............................................................................................................................5
Table 2 - Evaluated Devices.................................................................................................................7
Table 3 - Equivalent Devices................................................................................................................7
Table 4 – Carrier Models.....................................................................................................................8
Table 5 – Technical Decisions ............................................................................................................12
Table 6 - Extended SFRs and SARs......................................................................................................17
Table 7 – TOE Security Functional Requirements................................................................................21
Table 8 - Security Management Functions..........................................................................................46
Table 9 - Audit Events .......................................................................................................................56
Table 10 - Asymmetric Key Generation per Module............................................................................57
Table 11 - W-Fi Alliance Certificates...................................................................................................58
Table 12 - Salt Creation.....................................................................................................................59
Table 13 - BoringSSL Cryptographic Algorithms...................................................................................60
Table 14 - Kernel Versions.................................................................................................................60
Table 15 - Samsung Kernel Cryptographic Algorithms .........................................................................61
Table 16 - TEE Environments .............................................................................................................61
Table 17 - SCrypto TEE Cryptographic Algorithms ...............................................................................61
Table 18 - Hardware Components......................................................................................................62
Table 19 - Chipset Hardware Cryptographic Algorithms.......................................................................62
Table 20 - Key Management Matrix...................................................................................................66
Table 21 - Access Control Categories..................................................................................................69
Table 22 - DAR Encryption Implementations.......................................................................................69
Table 23 - Device biometric sensor....................................................................................................73
Table 24 – Allowed Lock Screen Authentication Methods....................................................................76
Table 25 - Secure Boot Public Keys.....................................................................................................79
Table 26 - Power-up Cryptographic Algorithm Self-Tests.....................................................................82
Table 27 - TSF Files Inventory ............................................................................................................87
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
4 of 87
1 Security Target Introduction
Thissectionidentifiesthe SecurityTarget(ST) andTargetof Evaluation(TOE) identification,ST
conventions,STconformance claims,andthe STorganization.The TOEconsistsof the SamsungGalaxy
DevicesonAndroid9 providedby SamsungElectronicsCo.,Ltd..The TOEis beingevaluatedasa Mobile
Device.
The SecurityTarget containsthe followingadditionalsections:
 Conformance Claims (Section2)
 SecurityObjectives(Section3)
 ExtendedComponentsDefinition(Section4)
 SecurityRequirements(Section5)
 TOE SummarySpecification(Section6)
Acronymsand Terminology
AA Assurance Activity
BAF BiometricAuthenticationFactor
CC CommonCriteria
CCEVS CommonCriteriaEvaluationandValidationScheme
EAR EntropyAnalysisReport
GUI Graphical User Interface
NFC NearFieldCommunication
PAD PresentationAttackDetection
PAI PresentationAttackInstrument
PCL ProductCompliantList
PP Protection Profile
SAR SecurityAssurance Requirement
SFR SecurityFunctional Requirement
SOF Strengthof Function
ST SecurityTarget
TEE TrustedExecutionEnvironment(TrustZone)
TOE Target of Evaluation
U.S. UnitedStates
VR ValidationReport
Glossary
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
5 of 87
Boot Lock Screen
The Boot Lock authentication screen appears on ODE-enabled devices on any power-
up/restart cyclewhen the device is configured for Secure Start-up.
Related to ODE.
Device Lock Screen
Android Lock Screen
The Device Lock Screen is the Android OS lock screen (as opposed to the Boot Lock
screen).
File-Based Encryption
(FBE)
FBE allowed files to be encrypted with different keys and unlocked individually based
on different authentication/accesscontrols.This is implemented as partof the ext4
filesystem (usingfscrypt).
Firmware Over-the-air
(FOTA)
Firmware Over-the-air is a term for the process of updatingthe firmware (operating
system and services) on the device via a wireless connection as opposed to a wired
(i.e. USB) connection.
On-Device Encryption
(ODE)
On-Device Encryption is a Full-Disk Encryption solution for Android devices where the
user data partition is encrypted at the block level. This is implemented with dm-crypt.
When Secure Start-up is enabled, the user must authenticate to the Boot Lock Screen
before Android will start.
Related to Boot Lock Screen.
Table 1 - Glossary
Conventions
The followingconventionshave beenappliedinthisdocument:
 SecurityFunctional Requirements –Part 2 of the CC definesthe approvedsetof operationsthat
may be appliedtofunctional requirements: iteration,assignment,selection,andrefinement.
o Iteration:allowsacomponenttobe usedmore thanonce withvaryingoperations.In
the ST, iterationisindicatedbyaparenthetical numberplacedatthe endof the
component.Forexample FDP_ACC.1(1) andFDP_ACC.1(2) indicate thatthe STincludes
twoiterationsof the FDP_ACC.1requirement.
o Assignment:allowsthe specificationof anidentifiedparameter.Assignmentsare
indicatedusingboldandare surroundedbybrackets(e.g.,[assignment]).Note thatan
assignmentwithinaselectionwouldbe identifiedinitalicsandwithembeddedbold
brackets(e.g.,[[selected-assignment]]).
o Selection:allowsthe specificationof one ormore elementsfromalist.Selectionsare
indicatedusingbolditalicsandare surroundedbybrackets(e.g.,[selection]).
o Refinement:allowsthe additionof details.Refinementsare indicatedusingbold,for
additions,andstrike-through,fordeletions(e.g.,“…all objects…”or “… some bigthings
…”).
 Othersectionsof the ST – Othersectionsof the ST use boldingtohighlighttextof special
interest,suchascaptions.
1.1 Security Target Reference
ST Title – SamsungElectronicsCo.,Ltd. SamsungGalaxyDevicesonAndroid9
(MDFPP31/WLANCEP10/VPNC21) SecurityTarget
ST Version– Version 0.4
ST Date – 2019/07/19
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
6 of 87
1.2 TOE Reference
TOE Identification–SamsungGalaxyDevicesonAndroid9
TOE Developer– SamsungElectronicsCo.,Ltd.
Evaluation Sponsor – SamsungElectronicsCo.,Ltd.
1.3 TOE Overview
The Target of Evaluation(TOE) are the SamsungGalaxyDevicesonAndroid9.
1.4 TOE Description
The TOE isa mobile device basedonAndroid 9witha built-inIPsecVPN clientandmodificationsmade
to increase the level of securityprovidedtoendusersandenterprises.The TOEisintendedforuse as
part of an enterprise mobilitysolutionprovidingmobilestaff with enterprise connectivity.
The TOE includesaCommonCriteriamode (or“CCmode”) that an administratorcaninvoke usingan
MDM. The TOE mustmeetthe followingprerequisitesinorderforan administratortotransitionthe TOE
to and remaininthe CC configuration.
 Require aboot anddevice lockpassword(swipe,PIN,pattern,accessibility(direction),screen
locksare notallowed). Acceptable biometricsvarywiththe device forthe devicelock.
 The maximumpasswordfailure retrypolicyshouldbe lessthanorequal to 30.
 A screenlockpasswordrequiredtodecryptdataon boot.
 Revocationcheckingmustbe enabled.
 External storage mustbe encrypted.
 Password(non-container)recoverypolicyandpasswordhistorymustnotbe enabled.
 WhenCC mode has beenenabled,the TOEbehavesasfollows:
o The TOE setsthe systemwide AndroidCCmode propertyto be enabled.
o The TOE preventsloadingof customfirmware/kernelsandrequiresall updatesoccur
throughFOTA.
o The TOE utilizesCAVPapprovedcryptographicciphersforTLS.
o The TOE ensuresFOTA updatesutilize 2048-bitPKCS#1 RSA-PSSformattedsignatures
(withSHA-512 hashing).
The TOE includesacontainerizationcapability,Knox Workspace container,whichispartof the Knox
Platform.Thiscontainerprovidesawayto segmentapplicationsanddataintotwoseparate areason the
device,suchasa personal areaanda workarea,each withitsownseparate apps,data and security
policies.Forthis effort, the TOEwasevaluatedbothwithoutandwithaKnox Workspace container
created.Thus,the evaluationincludesseveralKnox-specificclaimsthatapplytoa Knox Workspace
containerwhencreated.
There are differentmodelsof the TOE,the SamsungGalaxyDevicesonAndroid9,and these models
differintheirinternal components(asdescribedinthe table below).Alldevicesare A64architecture.
The model numbersof the mobile devicesusedduringevaluationtestingare as follows:
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
7 of 87
Device Name
Model
Number
Chipset
Vendor
CPU
Android
Version
Kernel
Version
Build Number
Galaxy S10e SM-G970F Samsung Exynos 9820 9 4.14.85 PPR1.180610.011
Galaxy S10+ SM-G975U Qualcomm SM8150 9 4.14.78 PPR1.180610.011
Galaxy S9+ SM-G965F Samsung Exynos 9810 9 4.9.59 PPR1.180610.011
Galaxy S9+ SM-G965U Qualcomm SDM845 9 4.9.112 PPR1.180610.011
Galaxy Note8 SM-N950F Samsung Exynos 8895 9 4.4.111 PPR1.180610.011
Galaxy Note8 SM-N950U Qualcomm MSM8998 9 4.4.153 PPR1.180610.011
Table 2 - Evaluated Devices
In additiontothe evaluateddevices,the followingdevice modelsare claimedasequivalentwithanote
aboutthe differencesbetweenthe evaluateddevice andthe equivalentmodels.
Evaluated Device CPU Equivalent Devices Differences
Galaxy S10e(Samsung) Exynos 9820
Galaxy S10 (Samsung)
Galaxy S10+(Samsung)
Galaxy S10 5G (Samsung)
 S10 & S10+ have ultrasonic
fingerprintsensor
 S10 & S10+ have larger screen
sizes
 S10 5G has different cellular
modem
Galaxy S10+(Qualcomm) SM8150
Galaxy S10e(Qualcomm)
Galaxy S10 (Qualcomm)
Galaxy S10 5G (Qualcomm)
Galaxy Fold (Qualcomm)
 S10e & Fold has sideimage
fingerprintsensor
 S10 & S10e have smaller screen
sizes
 S10 5G has different cellular
modem
 Fold has 2 screens
Galaxy S9+ (Samsung) Exynos 9810
Galaxy S9 (Samsung)
Galaxy Note9 (Samsung)
 S9 has smaller screen
 Note9 includes S Pen &
functionality to take advantage
of it for input (not security
related)
Galaxy S9+ (Qualcomm) SDM845
Galaxy S9 (Qualcomm)
Galaxy Note9 (Qualcomm)
 S9 has smaller screen
 Note9 includes S Pen &
functionality to take advantage
of it for input (not security
related)
Galaxy Note8 (Samsung) Exynos 8895
Galaxy S8 (Samsung)
Galaxy S8+ (Samsung)
 S8 & S8+ do not includeS Pen
 S8 & S8+ aresmaller
Galaxy Note8 (Qualcomm) MSM8998
Galaxy S8 (Qualcomm)
Galaxy S8+ (Qualcomm)
Galaxy S8 Active
(Qualcomm)
Galaxy Tab S4 (All)
 S8, S8+ & S8 Active do not
includeS Pen
 S8, S8+ & S8 Active are smaller
 S8 Active has a IP68 & MIL-STD-
810G certified body
 Tab S4 (T83x) is tabletform
factor (no voice calling)
 T835 & T837 tablets have LTE
 T830 tablets only have Wi-Fi
Table 3 - Equivalent Devices
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
8 of 87
In general,the devicesinclude afinal letterornumberat the endof the name that denotesthatthe
device isfora specificcarrieror region(forexample,U= US CarrierbuildandF = International,which
were usedduringthe evaluation).
For eachdevice, there are specificmodelsthatare validated.Thistable liststhe specificcarriermodels
that have the validatedconfiguration(coveringbothevaluatedandequivalentdevices).
Device Name
Chipset
Vendor
Base Model
Number
Carrier Models
Galaxy S10 5G Samsung SM-G977 B, N
Galaxy S10 5G Qualcomm SM-G977 P, T, U
Galaxy S10+ Samsung SM-G975 F, N
Galaxy S10+ Qualcomm SM-G975 U, SC-04L*, SCV42*
Galaxy S10 Samsung SM-G973 F, N
Galaxy S10 Qualcomm SM-G973 U, SC-03L*, SCV41*
Galaxy S10e Samsung SM-G970 F, N
Galaxy S10e Qualcomm SM-G970 U
Galaxy Fold Qualcomm SM-F900 F, N, U, SC-06L*, SCV44*
Galaxy Note9 Samsung SM-N960 F, N
Galaxy Note9 Qualcomm SM-N960 U, SC-01L*, SCV40*
Galaxy Tab S4 Qualcomm
SM-T830 None
SM-T835 N, None
SM-T837 A, R4, P, V, T
Galaxy S9+ Samsung SM-G965 F, N
Galaxy S9+ Qualcomm SM-G965 U, SC-03K*, SCV39*
Galaxy S9 Samsung SM-G960 F, N
Galaxy S9 Qualcomm SM-G960 U, SC-02K*, SCV38*
Galaxy Note8 Samsung SM-N950 F, N
Galaxy Note8 Qualcomm SM-N950 U, SC-01K*, SCV37*
Galaxy S8+ Samsung SM-G950 F, N
Galaxy S8+ Qualcomm SM-G950 U
Galaxy S8 Samsung SM-G955 F, N
Galaxy S8 Qualcomm SM-G955 U
Galaxy S8 Active Qualcomm SM-G892 A, U
Table 4 – Carrier Models
The carrier modelsmarkedby* are explicitmodel numbersforthose carriersanddonot follow the
standardspecifiedforothermodels. Where CarrierModelsspecifies“None”thatmeansadevice
withouta suffix isalsoadevice thatcan be placedintoa validatedconfiguration.
1.4.1 TOE Architecture
The TOE combineswithaMobile Device Managementsolution(note thatthisevaluationdoesnot
include anMDM agentnor server) thatenablesthe Enterprise towatch,control andadministerall
deployedmobiledevices,acrossmultiplemobile service providersaswell asfacilitate secure
communicationsthroughaVPN.Thispartnershipprovidesasecure mobileenvironmentthatcanbe
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
9 of 87
managedandcontrolledby the environmentandreducesthe risksthatcan be introducedthrougha
Bring-Your-Own-Device(BYOD) model whichcanbe extendedtoCorporate-Owned-Personally-Enabled
(COPE) or othercorporate-owneddeployments.
Data on the TOE isprotectedthroughthe implementationof SamsungOn-DeviceEncryption(ODE) or
File-BasedEncryption(FBE) (seeTable 22- DAR EncryptionImplementations foralistof devicesand
whichDAR encryptionisused) thatutilizesaCAVPcertifiedcryptographicalgorithmstoencryptdevice
storage.Thisfunctionalityiscombinedwithanumberof on-device policiesincludinglocal wipe,remote
wipe,passwordcomplexity,automaticlockandprivilegedaccess tosecurityconfigurationstoprevent
unauthorizedaccesstothe device andstoreddata.
The SamsungKnox Software DevelopmentKit(SDK) buildsontopof the existingAndroidsecuritymodel
by expandingthe currentsetof securityconfigurationoptionsto more than600 configurable policies
and includingadditionalsecurityfunctionalitysuchasapplicationwhitelistingandblacklisting.
The Knox PlatformforEnterprise providesasetof flexibledeploymentoptionsforWorkenvironments,
includingthe abilitytoenhance the BYODor COPE modelsbycreatinga separate containerforthe
Enterprise (the Workspace).Withinthe Knox Workspace,the Enterprisecanprovisionseparate
applicationsandensure theyare keptseparate fromanythingthe usermaydooutside the Knox
Workspace.The Enterprise canuse policycontrolstomanage a Work environmentonthe device asa
whole orwithinthe Knox Workspace containerspecifically,asneededbythe organization.
1.4.1.1 Physical Boundaries
The TOE isa multi-usermobile device basedonAndroid 9that incorporatesthe SamsungKnox SDK.The
TOE doesnot include the userapplicationsthatrunon topof the operatingsystem, butdoesinclude
controlsthat limitapplicationbehavior.The TOEincludesanIPsecVPN clientintegratedintothe
firmware (asopposedtoa downloadable application).WithinanEnterprise environment,the Enterprise
can manage the configurationof the mobiledevice,includingthe VPN client,throughacompliantdevice
managementsolution.
The TOE communicatesandinteractswith802.11-2012 AccessPointsandmobile datanetworksto
establishnetworkconnectivity,andthe throughthatconnectivityinteractswithMDMserversthatallow
administrativecontrol of the TOE.
1.4.1.2 Logical Boundaries
Thissectionsummarizesthe securityfunctionsprovidedbythe SamsungGalaxyDevicesonAndroid9:
 SecurityAudit
 Cryptographicsupport
 User data protection
 Identificationandauthentication
 Securitymanagement
 Protectionof the TSF
 TOE access
 Trustedpath/channels
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
10 of 87
1.4.1.2.1 Security Audit
The TOE generateslogsfora range of securityrelevantevents.The TOEstoresthe logslocallysothey
can be accessedbyan administratorortheycan be exportedtoan MDM.
1.4.1.2.2 Cryptographic Support
The TOE includesmultiple cryptographiclibrarieswithCAVPcertifiedalgorithmsforawide range of
cryptographicfunctionsincluding the following:asymmetrickeygenerationandestablishment,
symmetrickeygeneration,encryption/decryption,cryptographichashingandkeyed-hashmessage
authentication.Thesefunctionsare supportedwithsuitable randombitgeneration,keyderivation,salt
generation,initializationvectorgeneration,securekeystorage,andkeyandprotecteddatadestruction.
These primitivecryptographicfunctionsare usedtoimplementsecurityprotocolssuchasTLS, EAP-TLS,
IPsec,andHTTPS and to encryptthe media(includingthe generationandprotectionof dataandkey
encryptionkeys) usedbythe TOE.Many of these cryptographicfunctionsare alsoaccessibleasservices
to applicationsrunningonthe TOE.
1.4.1.2.3 User Data Protection
The TOE controlsaccessto systemservicesbyhostedapplications,includingprotectionof the Trust
AnchorDatabase.Additionally,the TOEprotectsuserand othersensitivedatausingencryptionsothat
evenif a device isphysicallylost,the dataremainsprotected.The functionalityprovidedbyaKnox
Workspace containerenhancesthe security of userdatabyprovidinganadditional layerof separation
betweendifferentcategoriesof appsanddatawhile the device isinuse.The TOE ensuresthatresidual
informationisprotectedfrompotential reuse inaccessible objectssuchasnetworkpackets.
1.4.1.2.4 Identification andAuthentication
The TOE supportsa numberof featuresrelatedtoidentificationandauthentication.Fromauser
perspective,exceptformakingphone callstoanemergencynumber,apasswordorBiometric
AuthenticationFactor(BAF) mustbe correctlyenteredtounlockthe TOE.In addition,evenwhenthe
TOE is unlockedthe passwordmustbe re-enteredtochange the passwordorre-enroll the biometric
template.Passwordsare obscuredwhenenteredsotheycannotbe readfromthe TOE's display, the
frequencyof enteringpasswordsislimitedandwhenaconfigurednumberof failuresoccurs,the TOE
will be wipedtoprotectitscontents.Passwordscanbe constructedusingupperandlowercase
characters,numbers,andspecial charactersand passwordsbetween4and16 charactersare supported.
The TOE can alsoserve as an 802.1X supplicantandcan use X.509v3 and validate certificatesforEAP-
TLS, TLS and IPsecexchanges.The TOEcan also act as a clientor serverinan authenticatedBluetooth
pairing.InadditiontostoringX.509 certificatesusedforIPsecconnections,the TOEcan alsosecurely
store pre-sharedkeysforVPN connections.
1.4.1.2.5 Security Management
The TOE providesall the interfacesnecessarytomanage the securityfunctions(includingthe VPN client)
identifiedthroughoutthisSecurityTargetaswell asotherfunctionscommonlyfoundinmobile devices.
Many of the available functionsare available tousersof the TOE while manyare restrictedto
administratorsoperatingthroughaMobile Device Managementsolutiononce the TOEhasbeen
enrolled.Once the TOEhasbeenenrolledandthenun-enrolled,itremovesall MDMpoliciesand
disablesCCmode.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
11 of 87
1.4.1.2.6 Protection of the TSF
The TOE implementsanumberof featurestoprotectitself toensure the reliabilityandintegrityof its
securityfeatures.Itprotectsparticularlysensitive datasuchas cryptographickeyssothat theyare not
accessible orexportable.Italsoprovidesitsowntimingmechanismtoensure thatreliabletime
informationisavailable (e.g.,forlogaccountability).Itenforcesread,write,andexecutememorypage
protections,usesaddressspace layoutrandomization,andstack-basedbufferoverflow protectionsto
minimize the potentialtoexploitapplicationflaws.Italsoprotectsitselffrommodificationby
applicationsaswell asisolatesthe addressspacesof applicationsfromone anothertoprotectthose
applications.
The TOE includesfunctionstoperformself-testsandsoftware/firmware integritycheckingsothatit
mightdetectwhenitisfailingormay be corrupt.If any self-testsfail,the TOEwill notgointoan
operational mode.Italsoincludesmechanisms(i.e.,verificationof the digital signature of eachnew
image) sothat the TOE itself canbe updatedwhile ensuring thatthe updateswill notintroduce
maliciousorotherunexpectedchangesinthe TOE.Digital signature checkingalsoextendstoverifying
applicationspriortotheirinstallation.
1.4.1.2.7 TOE Access
The TOE can be locked,obscuringitsdisplay,bythe useroraftera configuredinterval of inactivity.The
TOE also hasthe capabilitytodisplayanadvisorymessage(banner) whenusersunlockthe TOEfor use.
The TOE isalsoable to attemptto connectto wirelessnetworksasconfigured.
1.4.1.2.8 Trusted Path/Channels
The TOE supportsthe use of 802.11-2012, 802.1X, EAP-TLS,TLS,HTTPS and IPsecto secure
communicationschannelsbetweenitself andothertrustednetworkdevices.
1.4.2 TOE Documentation
 SamsungAndroid9.x on GalaxyDevicesAdministratorGuide,version5.0, July19, 2019
 SamsungVPN ClientonGalaxyDevicesAdministratorGuide,version5.0, May 22, 2019
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
12 of 87
2 Conformance Claims
ThisTOE isconformantto the followingCCspecifications:
 CommonCriteriaforInformationTechnologySecurityEvaluationPart2: Securityfunctional
components,Version3.1,Revision5,April 2017.
o Part 2 Extended
 CommonCriteriaforInformationTechnologySecurityEvaluationPart3: Securityassurance
components,Version3.1Revision5,April 2017.
o Part 3 Conformant
 Package Claims:
o ProtectionProfileforMobile Device Fundamentals,Version3.1,16 June 2017
(MDFPP31)
o General Purpose OperatingSystemsProtectionProfile/Mobile Device Fundamentals
ProtectionProfileExtendedPackage (EP) WirelessLocal AreaNetwork(WLAN)Clients,
Version1.0,08 February2016 (WLANCEP10)
o PP-Module forVirtual PrivateNetwork(VPN) Clients,Version2.1,05 October2017
(VPNC21)
 Technical Decisionsasof March 22, 2019:
TD No. PP Applied Rationale
TD0194 WLANCEP10 Yes Impacts required auditevents
TD0236 MDFPP31 No Superseded by TD0244
TD0244
MDFPP31
WLANCEP10
Yes Allows additional TLSC curves
TD0301 MDFPP31 Yes
Biometrics supported and affects FMT_SMF_EXT.3
AssuranceActivities
TD0303 VPNC21 Yes IKEv1 with XAUTH supported
TD0304 MDFPP31 Yes Impacts AssuranceActivities
TD0305 MDFPP31 Yes Impacts AssuranceActivities
TD0330 VPNC21 Yes Updates FCS_CKM.1 key generation
TD0346 MDFPP31 Yes Removes selection from FMT_SMF_EXT.2.1
TD0347 MDFPP31 Yes Updates Use Case2
TD0351 MDFPP31 Yes Adds DEK selections to FCS_CKM_EXT.2.1
TD0355 VPNC21 No Applies to VPN clientbeing evaluated with App PP
TD0362 VPNC21 No Random PSK generation not selected
TD0366 MDFPP31 Yes FCS_COP.1(5) updated languageper TD
TD0369 MDFPP31 Yes LTTCKM present
TD0371 MDFPP31 Yes Updates Use Case2
TD0373 VPNC21 No Applies to VPN clientbeing evaluated with App PP
TD0378 VPNC21 Yes TOE/TOE Platformselection in FCS_IPSEC.1
TD0379 VPNC21 Yes FCS_IPSEC_EXT.1.11 tests updated
TD0385 VPNC21 No Applies to VPN clientbeing evaluated with App PP
TD0387 VPNC21 No Applies to VPN clientbeing evaluated with GPOS PP
TD0413 MDFPP31 Yes Update to properly allowVPN PP-Module
Table 5 – Technical Decisions
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
13 of 87
2.1 Conformance Rationale
The ST conformstothe MDFPP31/WLANCEP10/VPNC21.Asexplainedpreviously,the securityproblem
definition,securityobjectives,andsecurityrequirementsare definedinthe PP.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
14 of 87
3 Security Objectives
The SecurityProblemDefinition maybe foundinthe MDFPP31/WLANCEP10/VPNC21andthissection
reproducesonlythe correspondingSecurityObjectivesforoperationalenvironmentforreader
convenience.The MDFPP31/WLANCEP10/VPNC21offersadditional informationaboutthe identified
securityobjectives,butthathasnot beenreproducedhere andthe MDFPP31/WLANCEP10/VPNC21
shouldbe consultedif there isinterestinthatmaterial.
In general,the MDFPP31/WLANCEP10/VPNC21hasdefinedSecurityObjectivesappropriateforMobile
Devicesandas suchare applicable tothe SamsungGalaxyDevicesonAndroid9TOE.
3.1 Security Objectives for the OperationalEnvironment
 OE.CONFIG TOE administratorswillconfigurethe Mobile Device securityfunctionscorrectlyto
create the intended securitypolicy.
 OE.NO_TOE_BYPASS (WLANCEP10) Informationcannotflow betweenexternal andinternal
networkslocatedindifferentenclaveswithoutpassingthroughthe TOE.
 OE.NOTIFY The Mobile Userwill immediatelynotifythe administratorif the Mobile Device islost
or stolen.
 OE.PRECAUTION The Mobile Userexercisesprecautionstoreduce the riskof lossor theftof the
Mobile Device.
 OE.TRUSTED_ADMIN TOE Administratorsare trustedtofollow andapplyall administrator
guidance ina trustedmanner.
 OE.NO_TOE_BYPASS (VPNC21) Informationcannotflow ontothe networktowhichthe VPN
client'shostisconnectedwithoutpassingthroughthe TOE.
 OE.PHYSICAL Physical security,commensurate withthe value of the TOEandthe data it
contains,isassumedtobe providedbythe environment.
 OE.TRUSTED_CONFIG Personnel configuringthe TOEandits operational environmentwill follow
the applicable securityconfigurationguidance.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
15 of 87
4 Extended Components Definition
All of the extendedrequirementsinthisSThave beendrawnfromthe MDFPP31/WLANCEP10/VPNC21.
The MDFPP31/WLANCEP10/VPNC21definesthe followingextendedSFRsandSARsand since theyare
not redefinedinthisSTthe MDFPP31/WLANCEP10/VPNC21shouldbe consultedformore information
concerningthose CCextensions.
Requirement Class Requirement Component
FCS: Cryptographic
support
FCS_CKM_EXT.1: Extended: Cryptographic Key Support
FCS_CKM_EXT.2: Extended: Cryptographic Key Random Generation
FCS_CKM_EXT.3: Extended: Cryptographic Key Generation
FCS_CKM_EXT.4: Extended: Key Destruction
FCS_CKM_EXT.5: Extended: TSF Wipe
FCS_CKM_EXT.6: Extended: SaltGeneration
FCS_HTTPS_EXT.1: Extended: HTTPS Protocol
FCS_IPSEC_EXT.1: Extended: IPsec
FCS_IV_EXT.1: Extended: Initialization Vector Generation
FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit
Generation)
FCS_RBG_EXT.2: Extended: Cryptographic Operation (Random Bit
Generation)
FCS_SRV_EXT.1: Extended: Cryptographic AlgorithmServices
FCS_SRV_EXT.2: Extended: Cryptographic AlgorithmServices
FCS_STG_EXT.1: Extended: Cryptographic Key Storage
FCS_STG_EXT.2: Extended: Encrypted Cryptographic Key Storage
FCS_STG_EXT.3: Extended: Integrity of encrypted key storage
FCS_TLSC_EXT.1: Extended: TLS Protocol
FCS_TLSC_EXT.1/WLAN: Extended: Extensible Authentication
Protocol-TransportLayer Security - WLAN
FCS_TLSC_EXT.2: Extended: TLS Protocol
FCS_TLSC_EXT.2/WLAN: Extended: TLS ClientProtocol - WLAN
FDP: User data protection
FDP_ACF_EXT.1: Extended: Security access control
FDP_ACF_EXT.2: Extended: Security access control
FDP_ACF_EXT.3: Extended: Security attribute based access control
FDP_DAR_EXT.1: Extended: Protected Data Encryption
FDP_DAR_EXT.2: Extended: SensitiveData Encryption
FDP_IFC_EXT.1: Extended: Subset information flowcontrol
FDP_PBA_EXT.1: Extended: Storage of Critical Biometric Parameters
FDP_STG_EXT.1: Extended: User Data Storage
FDP_UPC_EXT.1: Extended: Inter-TSF user data transfer protection
FIA: Identification and
authentication
FIA_AFL_EXT.1: Extended: Authentication failurehandling
FIA_BLT_EXT.1: Extended: Bluetooth User Authorization
FIA_BLT_EXT.2: Extended: Bluetooth Mutual Authentication
FIA_BLT_EXT.3: Extended: Rejection of DuplicateBluetooth
Connections
FIA_BLT_EXT.4: Extended: Secure SimplePairing
FIA_BLT_EXT.6: Extended: Bluetooth User Authorization
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
16 of 87
Requirement Class Requirement Component
FIA_BMG_EXT.1(1): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.1(2): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.1(3): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.6: Extended: Spoof Detections for Biometrics
FIA_PAE_EXT.1: Extended: Port Access Entity Authentication
FIA_PMG_EXT.1: Extended: Password Management
FIA_PSK_EXT.1: Extended: Pre-Shared Key Composition - VPN
FIA_TRT_EXT.1: Extended: Authentication Throttling
FIA_UAU_EXT.1: Extended: Authentication for Cryptographic
Operation
FIA_UAU_EXT.2: Extended: Timingof Authentication
FIA_UAU_EXT.4: Extended: Secondary User Authentication
FIA_X509_EXT.1: Extended: Validation of certificates
FIA_X509_EXT.2: Extended: X509 certificateauthentication
FIA_X509_EXT.2/WLAN: Extended: X.509 CertificateAuthentication
(EAP-TLS) - WLAN
FIA_X509_EXT.3: Extended: Request Validation of certificates
FMT: Security management
FMT_MOF_EXT.1: Extended: Management of security functions
behavior
FMT_SMF_EXT.1: Extended: Specification of Management Functions
FMT_SMF_EXT.1/WLAN: Extended: Specification of Management
Functions - WLAN
FMT_SMF_EXT.2: Extended: Specification of Remediation Actions
FMT_SMF_EXT.3 Extended: Current Administrator
FPT: Protection of the TSF
FPT_AEX_EXT.1: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.2: Extended: Anti-Exploitation Services (Memory Page
Permissions)
FPT_AEX_EXT.3: Extended: Anti-Exploitation Services (Overflow
Protection)
FPT_AEX_EXT.4: Extended: Domain Isolation
FPT_AEX_EXT.5: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.6: Extended: Anti-Exploitation Services (Memory Page
Permissions)
FPT_BBD_EXT.1: Extended: Application ProcessorMediation
FPT_JTA_EXT.1: Extended: JTAG Disablement
FPT_KST_EXT.1: Extended: Key Storage
FPT_KST_EXT.2: Extended: No Key Transmission
FPT_KST_EXT.3: Extended: No PlaintextKey Export
FPT_NOT_EXT.1: Extended: Self-Test Notification
FPT_TST_EXT.1: Extended: TSF Cryptographic Functionality Testing
FPT_TST_EXT.1/WLAN: Extended: TSF Cryptographic Functionality
Testing - WLAN
FPT_TST_EXT.1/VPN: Extended: TSF Cryptographic Functionality
Testing - VPN
FPT_TST_EXT.2(1): Extended: TSF Integrity Checking
FPT_TST_EXT.2(2): Extended: TSF Integrity Checking
FPT_TUD_EXT.1: Extended: Trusted Update: TSF version query
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
17 of 87
Requirement Class Requirement Component
FPT_TUD_EXT.2: Extended: TSF Update Verification
FTA: TOE access
FTA_SSL_EXT.1: Extended: TSF- and User-initiated Locked State
FTA_WSE_EXT.1: Extended: Wireless Network Access - WLAN
FTP_ITC_EXT.1: Extended: Trusted channel Communication
FTP_ITC_EXT.1/WLAN: Extended: Trusted Channel Communication
(Wireless LAN) – WLAN
ALC: Life Cycle Support ALC_TSU_EXT.1: Timely Security Updates
Table 6 - Extended SFRs and SARs
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
18 of 87
5 Security Requirements
Thissectiondefinesthe SecurityFunctional Requirements(SFRs)and SecurityAssurance Requirements
(SARs) thatserve torepresentthe securityfunctional claimsforthe Targetof Evaluation(TOE) andto
scope the evaluationeffort.
The SFRs have all beendrawnfromthe MDFPP31/WLANCEP10/VPNC21.The refinementsand
operationsalreadyperformedinthe MDFPP31/WLANCEP10/VPNC21are notidentified(e.g.,
highlighted) here,ratherthe requirementshave beencopiedfromthe MDFPP31/WLANCEP10/VPNC21
and anyresidual operationshave beencompletedherein.Of particularnote,the
MDFPP31/WLANCEP10/VPNC21made a numberof refinementsandcompletedsome of the SFR
operationsdefinedin the CommonCriteria(CC) andthatPPshouldbe consultedtoidentifythose
changesif necessary.
The SARs are also drawnfromthe MDFPP31/WLANCEP10/VPNC21,whichinclude all the SARsforEAL1
augmentedwithALC_TSU_EXT.1.However,the SARsare effectivelyrefinedsince requirement-specific
'Assurance Activities'are definedinthe MDFPP31/WLANCEP10/VPNC21thatserve to ensure
correspondingevaluationswill yieldmore practical andconsistentassurance thanthe assurance
requirementsalone.The MDFPP31/WLANCEP10/VPNC21shouldbe consultedforthe assurance activity
definitions.
5.1 TOE SecurityFunctional Requirements
The followingtable identifiesthe SFRsthatare satisfiedbythe SamsungGalaxyDevicesonAndroid9
TOE.
Requirement Class Requirement Component
FAU: Security Audit
FAU_GEN.1: Audit Data Generation
FAU_SAR.1: Audit Review
FAU_SEL.1: Selective Audit
FAU_STG.1: Audit Storage Protection
FAU_STG.4: Prevention of Audit Data Loss
FCS: Cryptographic
support
FCS_CKM.1: Cryptographic key generation
FCS_CKM.1/WLAN: Cryptographic Key Generation (Symmetric Keys
for WPA2 Connections) - WLAN
FCS_CKM.1/VPN: Cryptographic Key Generation (IKE) - VPN
FCS_CKM.2(1): Cryptographic key establishment
FCS_CKM.2(2): Cryptographic key establishment(Whiledevice is
locked)
FCS_CKM.2/WLAN: Cryptographic Key Distribution (GTK) - WLAN
FCS_CKM_EXT.1: Extended: Cryptographic Key Support
FCS_CKM_EXT.2: Extended: Cryptographic Key Random Generation
FCS_CKM_EXT.3: Extended: Cryptographic Key Generation
FCS_CKM_EXT.4: Extended: Key Destruction
FCS_CKM_EXT.5: Extended: TSF Wipe
FCS_CKM_EXT.6: Extended: SaltGeneration
FCS_COP.1(1): Cryptographic operation
FCS_COP.1(2): Cryptographic operation
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
19 of 87
Requirement Class Requirement Component
FCS_COP.1(3): Cryptographic operation
FCS_COP.1(4): Cryptographic operation
FCS_COP.1(5): Cryptographic operation
FCS_HTTPS_EXT.1: Extended: HTTPS Protocol
FCS_IPSEC_EXT.1: Extended: IPsec
FCS_IV_EXT.1: Extended: Initialization Vector Generation
FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit
Generation)
FCS_RBG_EXT.2: Extended: Cryptographic Operation (Random Bit
Generation)
FCS_SRV_EXT.1: Extended: Cryptographic AlgorithmServices
FCS_SRV_EXT.2: Extended: Cryptographic AlgorithmServices
FCS_STG_EXT.1: Extended: Cryptographic Key Storage
FCS_STG_EXT.2: Extended: Encrypted Cryptographic Key Storage
FCS_STG_EXT.3: Extended: Integrity of encrypted key storage
FCS_TLSC_EXT.1: Extended: TLS Protocol
FCS_TLSC_EXT.1/WLAN: Extended: Extensible Authentication
Protocol-TransportLayer Security - WLAN
FCS_TLSC_EXT.2: Extended: TLS Protocol
FCS_TLSC_EXT.2/WLAN: Extended: TLS ClientProtocol - WLAN
FDP: User data protection
FDP_ACF_EXT.1: Extended: Security access control
FDP_ACF_EXT.2: Extended: Security access control
FDP_ACF_EXT.3: Extended: Security attribute based access control
FDP_DAR_EXT.1: Extended: Protected Data Encryption
FDP_DAR_EXT.2: Extended: SensitiveData Encryption
FDP_IFC_EXT.1: Extended: Subset information flowcontrol
FDP_PBA_EXT.1: Extended: Storage of Critical Biometric Parameters
FDP_RIP.2: Full Residual Information Protection
FDP_STG_EXT.1: Extended: User Data Storage
FDP_UPC_EXT.1: Extended: Inter-TSF user data transfer protection
FIA: Identification and
authentication
FIA_AFL_EXT.1: Extended: Authentication failurehandling
FIA_BLT_EXT.1: Extended: Bluetooth User Authorization
FIA_BLT_EXT.2: Extended: Bluetooth Mutual Authentication
FIA_BLT_EXT.3: Extended: Rejection of DuplicateBluetooth
Connections
FIA_BLT_EXT.4: Extended: Secure SimplePairing
FIA_BLT_EXT.6: Extended: Bluetooth User Authorization
FIA_BMG_EXT.1(1): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.1(2): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.1(3): Extended: Accuracy of Biometric Authentication
FIA_BMG_EXT.6: Extended: Spoof Detections for Biometrics
FIA_PAE_EXT.1: Extended: Port Access Entity Authentication
FIA_PMG_EXT.1: Extended: Password Management
FIA_PSK_EXT.1: Extended: Pre-Shared Key Composition - VPN
FIA_TRT_EXT.1: Extended: Authentication Throttling
FIA_UAU.5: MultipleAuthentication Mechanisms
FIA_UAU.6(1): Re-Authentication
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
20 of 87
Requirement Class Requirement Component
FIA_UAU.6(2): Re-Authentication
FIA_UAU.7: Protected authentication feedback
FIA_UAU_EXT.1: Extended: Authentication for Cryptographic
Operation
FIA_UAU_EXT.2: Extended: Timingof Authentication
FIA_UAU_EXT.4: Extended: Secondary User Authentication
FIA_X509_EXT.1: Extended: Validation of certificates
FIA_X509_EXT.2: Extended: X509 certificateauthentication
FIA_X509_EXT.2/WLAN: Extended: X.509 CertificateAuthentication
(EAP-TLS) - WLAN
FIA_X509_EXT.3: Extended: Request Validation of certificates
FMT: Security management
FMT_MOF_EXT.1: Extended: Management of security functions
behavior
FMT_SMF_EXT.1: Extended: Specification of Management Functions
FMT_SMF_EXT.1/WLAN: Extended: Specification of Management
Functions - WLAN
FMT_SMF.1/VPN: Specification of Management Functions - VPN
FMT_SMF_EXT.2: Extended: Specification of Remediation Actions
FMT_SMF_EXT.3 Extended: Current Administrator
FPT: Protection of the TSF
FPT_AEX_EXT.1: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.2: Extended: Anti-Exploitation Services (Memory Page
Permissions)
FPT_AEX_EXT.3: Extended: Anti-Exploitation Services (Overflow
Protection)
FPT_AEX_EXT.4: Extended: Domain Isolation
FPT_AEX_EXT.5: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.6: Extended: Anti-Exploitation Services (Memory Page
Permissions)
FPT_BBD_EXT.1: Extended: Application ProcessorMediation
FPT_JTA_EXT.1: Extended: JTAG Disablement
FPT_KST_EXT.1: Extended: Key Storage
FPT_KST_EXT.2: Extended: No Key Transmission
FPT_KST_EXT.3: Extended: No PlaintextKey Export
FPT_NOT_EXT.1: Extended: Self-Test Notification
FPT_STM.1: Reliabletime stamps
FPT_TST_EXT.1: Extended: TSF Cryptographic Functionality Testing
FPT_TST_EXT.1/WLAN: Extended: TSF Cryptographic Functionality
Testing - WLAN
FPT_TST_EXT.1/VPN: Extended: TSF Cryptographic Functionality
Testing - VPN
FPT_TST_EXT.2(1): Extended: TSF Integrity Checking
FPT_TST_EXT.2(2): Extended: TSF Integrity Checking
FPT_TUD_EXT.1: Extended: Trusted Update: TSF version query
FPT_TUD_EXT.2: Extended: TSF Update Verification
FTA: TOE access
FTA_SSL_EXT.1: Extended: TSF- and User-initiated Locked State
FTA_TAB.1: Default TOE Access Banners
FTA_WSE_EXT.1: Extended: Wireless Network Access - WLAN
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
21 of 87
Requirement Class Requirement Component
FTP_ITC_EXT.1: Extended: Trusted channel Communication
FTP_ITC_EXT.1/WLAN: Extended: Trusted Channel Communication
(Wireless LAN) - WLAN
Table 7 – TOE Security Functional Requirements
5.1.1 Security Audit (FAU)
5.1.1.1 FAU_GEN.1: Audit Data Generation
FAU_GEN.1.1
The TSF shall be able to generate anauditrecordof the followingauditableevents:
1. Start-upand shutdown of the auditfunctions
2. All auditable eventsforthe notselectedlevel of audit
3. All administrative actions
4. Start-upand shutdownof the RichOS
5. Insertionorremoval of removable media
6. SpecificallydefinedauditableeventsinTable 1(of the MDFPP31);
7. [Auditrecords reaching[95%] percentage of auditcapacity].
8. [Objectiveauditevents fromthe MDFPP31 as listedin Table 8 AuditEvents,
auditableevents inTable 2 of WLANCEP10]
FAU_GEN.1.2
The TSF shall recordwithineachauditrecordat leastthe followinginformation:
1. Date andtime of the event
2. type of event
3. subjectidentity
4. the outcome (successorfailure) of the event
5. additional informationinTable 1
6. [noadditional information]
(TD0194 applied)
5.1.1.2 FAU_SAR.1: Audit Review
FAU_SAR.1.1
The TSF shall provide the administratorwiththe capabilitytoreadall auditedevents
and recordcontentsfromthe auditrecords.
FAU_SAR.1.2
The TSF shall provide the auditrecordsina mannersuitable for the userto interpretthe
information.
5.1.1.3 FAU_SEL.1: Selective Audit
FAU_SEL.1.1
The TSF shall be able to selectthe setof eventstobe auditedfromthe setof all
auditable eventsbasedonthe followingattributes[
 success ofauditablesecurity events;
 failureof auditablesecurityevents; and
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
22 of 87
 [event group,event severity, UserID and kernel events]].
5.1.1.4 FAU_STG.1: Audit Storage Protection
FAU_STG.1.1
The TSF shall protectthe storedauditrecords inthe audittrail from unauthorized
deletion.
FAU_STG.1.2
The TSF shall be able to preventunauthorizedmodificationstothe storedauditrecords
inthe audittrail.
5.1.1.5 FAU_STG.4: Prevention of Audit Data Loss
FAU_STG.4.1
The TSF shall overwrite the oldeststoredauditrecordsif the audittrail isfull.
5.1.2 Cryptographic Support (FCS)
5.1.2.1 FCS_CKM.1: Cryptographic key generation
FCS_CKM.1.1
The TSF shall generate asymmetriccryptographickeysinaccordance withaspecified
cryptographickeygenerationalgorithm [ECCschemes]using[“NISTcurves”P-256,P-
384, and [P-521]] that meetthe following: [FIPSPUB186-4, “Digital Signature Standard
(DSS)”,AppendixB.4];
[
 [FFCschemes] usingcryptographickey sizesof [2048-bit or greater] that meet the
following:[FIPSPUB186-4, “Digital SignatureStandard(DSS)”,AppendixB.1]];
[
 [RSA schemes] usingcryptographickey sizesof [2048-bit or greater] that meet the
following:[FIPSPUB186-4, “Digital SignatureStandard(DSS)”,AppendixB.3]
].
(TD0330 applied)
5.1.2.2 FCS_CKM.1/WLAN: Cryptographic Key Generation (SymmetricKeys for WPA2
Connections)– WLAN
FCS_CKM.1.1/WLAN
Refinement:The TSFshall generate symmetriccryptographickeysinaccordance witha
specifiedcryptographickeygenerationalgorithmPRF-384and [noother] and specified
cryptographickeysizes128 bitsand[no other key sizes] usinga Random BitGenerator
as specifiedinFCS_RBG_EXT.1thatmeetthe following:IEEE802.11-2012 and[IEEE
802.11ac-2014].
5.1.2.3 FCS_CKM.1/VPN: CryptographicKey Generation (IKE)- VPN
FCS_CKM.1.1/VPN
The [OS] shall generate asymmetriccryptographickeysusedforIKEpeerauthentication
inaccordance with: [
 FIPS PUB 186-4, “Digital SignatureStandard(DSS)”,AppendixB.3 for RSA schemes;
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
23 of 87
 FIPS PUB 186-4, “Digital SignatureStandard(DSS)”,AppendixB.4 for ECDSA
schemes andimplementing“NISTcurves”,P-256, P-384 and[P-521]]
and specifiedcryptographickeysizesequivalentto,orgreaterthan, a symmetrickey
strengthof 112 bits.
5.1.2.4 FCS_CKM.2(1): Cryptographickey establishment
FCS_CKM.2(1).1
The TSF shall performcryptographickeyestablishmentinaccordance withaspecified
cryptographickeyestablishmentmethod:
 RSA-basedkeyestablishmentschemesthatmeetsthe following:NISTSpecial
Publication800-56B, 'RecommendationforPair-WiseKey EstablishmentSchemes
UsingIntegerFactorizationCryptography'
 Ellipticcurve-basedkeyestablishmentschemesthatmeetsthe following:NIST
Special Publication800-56A,“RecommendationforPair-Wise KeyEstablishment
SchemesUsingDiscrete LogarithmCryptography”,
and [
 Finitefield-basedkey establishmentschemes]that meets the following:NIST
Special Publication800-56A, “RecommendationforPair-WiseKeyEstablishment
Schemes UsingDiscrete LogarithmCryptography”].
5.1.2.5 FCS_CKM.2(2): Cryptographickey establishment (While device is locked)
FCS_CKM.2(2).1
The TSF shall performcryptographickeyestablishmentinaccordance withaspecified
cryptographickeyestablishmentmethod:[
Ellipticcurve-basedkey establishmentschemes that meets the following:[NIST Special
Publication800-56A, “RecommendationforPair-WiseKey EstablishmentSchemes
UsingDiscrete Logarithm Cryptography]]
for the purposesof encryptingsensitive datareceivedwhile the device islocked.
5.1.2.6 FCS_CKM.2/WLAN: Cryptographic Key Distribution (GTK) - WLAN
FCS_CKM.2.1/WLAN
Refinement:The TSFshall decrypt GroupTemporal Key inaccordance witha specified
cryptographickeydistributionmethod[AESKey Wrap in an EAPOL-Key frame] that
meetsthe following:[RFC3394 forAES Key Wrap, 802.11-2012 forthe packetformat
and timing considerations] anddoesnot expose the cryptographic keys.
5.1.2.7 FCS_CKM_EXT.1: Extended: Cryptographic KeySupport
FCS_CKM_EXT.1.1
The TSF shall supporta [immutablehardware] REK(s) witha [symmetric] keyof strength
[256 bits].
FCS_CKM_EXT.1.2
Each REK shall be hardware-isolatedfromRichOSonthe TSF inruntime.
FCS_CKM_EXT.1.3
Each REK shall be generatedbya RBG inaccordance withFCS_RBG_EXT.1.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
24 of 87
5.1.2.8 FCS_CKM_EXT.2: Extended: Cryptographic KeyRandom Generation
FCS_CKM_EXT.2.1
All DEKsshall be [
 randomlygenerated
 from the combinationofa randomlygenerated DEK with another DEK or saltin a
way that preserves the effective entropyof each factor by [concatenating the
keys and using a KDF (as described in SP 800-108)]
] withentropycorrespondingtothe securitystrengthof AESkeysizesof [256] bits.
(TD0351 applied)
5.1.2.9 FCS_CKM_EXT.3: Extended: Cryptographic KeyGeneration
FCS_CKM_EXT.3.1
The TSF shall use [asymmetricKEKs of [128-bit] security strength, symmetricKEKs of
[256-bit] security strength correspondingtoat leastthe security strengthof the keys
encrypted by the KEK].
FCS_CKM_EXT.3.2
The TSF shall generate all KEKsusingone of the followingmethods:
 derive the KEKfroma PasswordAuthenticationFactorusingaccordingto
FCS_COP.1(5).1
and [
 generate the KEK usingan RBG that meets thisprofile(as specifiedin
FCS_RBG_EXT.1),
 generate the KEK usinga key generationscheme that meets thisprofile(as
specifiedin FCS_CKM.1),
 Combinethe KEK fromother KEKs in a waythat preserves the effective entropy of
each factor by [concatenatingthekeys andusinga KDF (asdescribed inSP 800-
108), encryptingone key withanother]].
(TD0366 applied)
5.1.2.10 FCS_CKM_EXT.4: Extended: Key Destruction
FCS_CKM_EXT.4.1
The TSF shall destroycryptographickeysinaccordance withthe specifiedcryptographic
keydestructionmethods:
 by clearingthe KEKencryptingthe targetkey
 inaccordance withthe followingrules
o For volatile memory,the destructionshall be executedbyasingle direct
overwrite [consistingofzeroes].
o For non-volatile EEPROM,the destructionshallbe executedbyasingle direct
overwrite consistingof apseudorandompatternusingthe TSF'sRBG (as
specifiedinFCS_RBG_EXT.1),followedbyaread-verify.
o For non-volatile flashmemory,thatisnotwear-leveled,the destructionshallbe
executed[byasingledirect overwrite consistingofzeros followedby a read-
verify].
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
25 of 87
o For non-volatile flashmemory,thatiswear-leveled,the destructionshall be
executed[byablockerase].
o For non-volatile memoryotherthanEEPROMand flash,the destructionshall be
executedbyasingle directoverwrite witharandompatternthatis changed
before eachwrite.
FCS_CKM_EXT.4.2
The TSF shall destroyall plaintextkeyingmaterial andcritical securityparameterswhen
no longerneeded.
5.1.2.11 FCS_CKM_EXT.5: Extended: TSF Wipe
FCS_CKM_EXT.5.1
The TSF shall wipe all protecteddataby[Cryptographicallyerasingtheencrypted DEKs
and/orthe KEKs in non-volatilememoryby followingtherequirementsin
FCS_CKM_EXT.4.1].
FCS_CKM_EXT.5.2
The TSF shall performa powercycle onconclusionof the wipe procedure.
5.1.2.12 FCS_CKM_EXT.6: Extended: Salt Generation
FCS_CKM_EXT.6.1
The TSF shall generate all saltsusingaRBG that meetsFCS_RBG_EXT.1.
5.1.2.13 FCS_COP.1(1): Cryptographicoperation
FCS_COP.1(1).1
The TSF shall performencryption/decryptioninaccordance withaspecified
cryptographicalgorithm:
 AES-CBC(asdefinedinFIPSPUB197, and NISTSP 800-38A) mode
 AES-CCMP(as definedinFIPSPUB197, NIST SP800-38C and IEEE 802.11-2012),
 AES-GCM(asdefinedinNISTSP800-38D), and [
 AES Key Wrap(KW) (asdefinedin NIST SP 800-38F),
 AES-XTS (asdefinedin NIST SP 800-38E)]
and cryptographickeysizes128-bitkeysizesand[256-bit key sizes].
5.1.2.14 FCS_COP.1(2): Cryptographic operation
FCS_COP.1(2).1
The TSF shall performcryptographichashinginaccordance witha specified
cryptographicalgorithmSHA-1and[SHA-256, SHA-384, SHA-512] and message digest
sizes160 and [256, 384, 512] that meetthe following:FIPSPub180-4.
5.1.2.15 FCS_COP.1(3): Cryptographicoperation
FCS_COP.1(3).1
The TSF shall performcryptographicsignature services(generationandverification) in
accordance witha specifiedcryptographicalgorithm
 RSA schemesusingcryptographickeysizesof 2048-bitor greaterthat meetthe
following:FIPSPUB186-4, 'Digital Signature Standard(DSS)',Section4and [
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
26 of 87
 ECDSA schemes using'NISTcurves' P-384 and[P-256, P-521] that meet the
following:FIPSPUB186-4, 'Digital SignatureStandard(DSS)',Section5].
5.1.2.16 FCS_COP.1(4): Cryptographicoperation
FCS_COP.1(4).1
The TSF shall performkeyed-hashmessageauthenticationinaccordance witha
specifiedcryptographicalgorithmHMAC-SHA-1and[HMAC-SHA-256,HMAC-SHA-384,
HMAC-SHA-512] andcryptographickeysizes[160, 256, 384, 512-bits] and message
digestsizes160 and [256, 384, 512] bitsthat meetthe following:FIPSPub198-1, 'The
Keyed-HashMessage AuthenticationCode',andFIPSPub180-4, 'Secure Hash Standard'.
5.1.2.17 FCS_COP.1(5): Cryptographicoperation
FCS_COP.1(5).1
The TSF shall performconditioninginaccordance withaspecifiedcryptographic
algorithmHMAC-[SHA-256,SHA-512] usinga salt,and [PDKDF2 with [4096] iterations],
and outputcryptographickeysizes[256] that meetthe following: NIST[SP800-132].
(TD0366 applied)
5.1.2.18 FCS_HTTPS_EXT.1: Extended: HTTPS Protocol
FCS_HTTPS_EXT.1.1
The TSF shall implementthe HTTPSprotocol thatcomplieswithRFC2818.
FCS_HTTPS_EXT.1.2
The TSF shall implementHTTPSusingTLS (FCS_TLSC_EXT.1).
FCS_HTTPS_EXT.1.3
The TSF shall notifythe applicationand[nootheraction] if the peercertificate is
deemedinvalid.
5.1.2.19 FCS_IPSEC_EXT.1: Extended: IPsec
FCS_IPSEC_EXT.1.1
The [TOE] shall implementthe IPsecarchitectureasspecifiedinRFC4301.
FCS_IPSEC_EXT.1.2
The [TOE] shall implement[tunnel mode].
FCS_IPSEC_EXT.1.3
The [TOE] shall have a nominal,final entryinthe SPDthatmatchesanythingthatis
otherwise unmatched,anddiscardsit.
FCS_IPSEC_EXT.1.4
The [TOE] shall implementthe IPsecprotocol ESPasdefinedbyRFC4303 usingthe
cryptographicalgorithmsAES-GCM-128,AES-GCM-256 as specifiedinRFC4106, [AES-
CBC-128, AES-CBC-256 (bothspecifiedby RFC 3602) together with a Secure Hash
Algorithm(SHA)-basedHMAC,noother algorithms].
FCS_IPSEC_EXT.1.5
The [TOE] shall implementthe protocol:[
 IKEv1, usingMainMode forPhase I exchanges,as definedin RFCs 2407, 2408,
2409, RFC 4109, [noother RFCs for extended sequence numbers],and [noother
RFCs for hashfunctions]and[supportfor XAUTH];
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
27 of 87
 IKEv2 as definedinRFCs 7296 (withmandatorysupport for NAT traversal as
specifiedin section2.23), 4307, and[no other RFCs for hashfunctions]].
(TD0303 applied)
FCS_IPSEC_EXT.1.6
The [TOE] shall ensure the encryptedpayloadinthe [IKEv1,IKEv2] protocol usesthe
cryptographicalgorithmsAES-CBC-128,AES-CBC-256as specifiedinRFC6379 and [AES-
GCM-128, AES-GCM-256as specifiedinRFC 5282]1
.
FCS_IPSEC_EXT.1.7
The [TOE] shall ensure that[
 IKEv2 SA lifetimescanbe configuredby[VPN Gateway]basedon [lengthof time];
 IKEv1 SA lifetimescanbe configuredby[VPN Gateway]basedon [lengthof time]].
If lengthof time isused,itmust include atleastone optionthatis24 hours or lessfor
Phase 1 SAs and8 hours or lessforPhase 2 SAs.
FCS_IPSEC_EXT.1.8
The [TOE] shall ensure thatall IKE protocolsimplementDHGroups 14 (2048-bit MODP),
19 (256-bit RandomECP), 20 (384-bit RandomECP), and [5 (1536-bit MODP), 24 (2048-
bit MODP with256-bit POS)].
FCS_IPSEC_EXT.1.9
The [TOE] shall generate the secretvalue x used inthe IKEDiffie-Hellmankeyexchange
(“x”in gx
mod p) usingthe randombit generatorspecifiedinFCS_RBG_EXT.1,and
havinga lengthof at least[(224, 256, or 384)] bits.
FCS_IPSEC_EXT.1.10
The [TOE] shall generate noncesusedinIKEexchangesinamannersuchthat the
probabilitythataspecificnonce value will be repeatedduringthe life aspecificIPsecSA
islessthan 1 in 2^[(112, 128, or 192)].
FCS_IPSEC_EXT.1.11
The [TOE] shall ensure thatall IKE protocolsperformpeerauthenticationusinga[RSA,
ECDSA] thatuse X.509v3 certificatesthatconformtoRFC 4945 and[Pre-SharedKeys].
FCS_IPSEC_EXT.1.12
The [TOE] shall notestablishanSA if the [IP address,FullyQualifiedDomainName
(FQDN))] and[noother reference identifiertype] containedin a certificate doesnot
match the expectedvalue(s) forthe entityattemptingtoestablishaconnection.
(TD0378 applied)
FCS_IPSEC_EXT.1.13
The [TOE] shall notestablishanSA if the presentedidentifierdoesnotmatchthe
configuredreference identifier of the peer.
(TD0378 applied)
FCS_IPSEC_EXT.1.14
The [VPNGateway] shall be able to ensure bydefaultthatthe strengthof the
symmetricalgorithm(intermsof the numberof bitsinthe key) negotiatedtoprotect
the [IKEv1 Phase 1, IKEv2 IKE_SA] connectionisgreaterthanor equal to the strengthof
1 Note that AES-GCM-128 and AES-GCM-256 are supported only for IKEv2.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
28 of 87
the symmetricalgorithm(intermsof the numberof bitsinthe key) negotiatedto
protectthe [IKEv1 Phase2, IKEv2 CHILD_SA] connection.
5.1.2.20 FCS_IV_EXT.1: Extended: Initialization Vector Generation
FCS_IV_EXT.1.1
The TSF shall generate IVsinaccordance withMDFPP31 Table 11: ReferencesandIV
RequirementsforNIST-approvedCipherModes.
5.1.2.21 FCS_RBG_EXT.1: Extended: Cryptographic Operation (Random Bit Generation)
FCS_RBG_EXT.1.1
The TSF shall performall deterministic randombitgenerationservicesinaccordance
withNISTSpecial Publication800-90A using[Hash_DRBG (any), HMAC_DRBG (any),
CTR_DRBG (AES)].
FCS_RBG_EXT.1.2
The deterministicRBGshall be seededbyanentropysource thataccumulatesentropy
from[TSF-hardware-basednoisesource] witha minimumof [256 bits] of entropyat
leastequal tothe greatestsecuritystrength(accordingtoNISTSP 800-57) of the keys
and hashesthatit will generate.
FCS_RBG_EXT.1.3
The TSF shall be capable of providingoutputof the RBG to applicationsrunningonthe
TSF that requestrandombits.
5.1.2.22 FCS_RBG_EXT.2: Extended: Cryptographic Operation (Random Bit Generation)
FCS_RBG_EXT.2.1
The TSF shall save the state of the deterministicRBGat power-off,andshall use this
state as inputto the deterministicRBGat startup.
5.1.2.23 FCS_SRV_EXT.1: Extended: CryptographicAlgorithm Services
FCS_SRV_EXT.1.1
The TSF shall provide amechanismforapplicationstorequestthe TSFtoperformthe
followingcryptographicoperations:
 All mandatoryand [selected algorithms] inFCS_CKM.2(2)
 The followingalgorithmsinFCS_COP.1(1):AES-CBC,[AES-GCM]
 All mandatoryandselectedalgorithmsinFCS_COP.1(3)
 All mandatoryandselectedalgorithmsinFCS_COP.1(2)
 All mandatoryandselectedalgorithmsinFCS_COP.1(4)
 [Noother cryptographicoperations].
5.1.2.24 FCS_SRV_EXT.2: Extended: CryptographicAlgorithm Services
FCS_SRV_EXT.2.1
The TSF shall provide amechanismforapplicationstorequestthe TSFtoperformthe
followingcryptographicoperations:
 AlgorithmsinFCS_COP.1(1)
 AlgorithmsinFCS_COP.1(3)
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
29 of 87
by keysstoredinthe secure keystorage.
5.1.2.25 FCS_STG_EXT.1: Extended: Cryptographic KeyStorage
FCS_STG_EXT.1.1
The TSF shall provide [software-based] secure keystorage forasymmetricprivate keys
and [symmetrickeys].
FCS_STG_EXT.1.2
The TSF shall be capable of importingkeys/secretsintothe secure keystorage upon
requestof [theuser, the administrator] and[applicationsrunningontheTSF].
FCS_STG_EXT.1.3
The TSF shall be capable of destroyingkeys/secretsinthe secure keystorage upon
requestof [theuser].
FCS_STG_EXT.1.4
The TSF shall have the capabilitytoallow onlythe applicationthatimportedthe
key/secretthe use of the key/secret.Exceptionsmayonlybe explicitlyauthorizedby[a
commonapplication developer].
FCS_STG_EXT.1.5
The TSF shall allowonlythe applicationthatimportedthe key/secrettorequestthatthe
key/secretbe destroyed.Exceptionsmayonlybe explicitlyauthorizedby[acommon
applicationdeveloper].
5.1.2.26 FCS_STG_EXT.2: Extended: Encrypted Cryptographic Key Storage
FCS_STG_EXT.2.1
The TSF shall encryptall DEKs and KEKsand [Wi-Fi,Bluetooth,VPN,and
SecurityLogAgentproperties (related to SE Android)] and[all software-basedkey
storage] by KEKsthat are [
1. Protected by the REK with [
a. encryptionby a REK,
b. encryptionby a KEK that is derivedfrom a REK],
2. Protected by the REK and the passwordwith [
a. encryptionby a REK and the password-derivedKEK,
b. encryptionby a KEK that is derivedfrom a REK andthe password-derivedor
biometric-unlockedKEK]].
FCS_STG_EXT.2.2
DEKs, KEKs,[BluetoothandWPA2 PSK long-termtrusted channel key material and
SecurityLogAgentproperties (related to SE Android)] and[all software-basedkey
storage] shall be encryptedusingone of the followingmethods:[usingaSP800-56B key
establishmentscheme,usingAES in the [GCM,CBC mode]].
(TD0369 applied)
5.1.2.27 FCS_STG_EXT.3: Extended: Integrity of encrypted key storage
FCS_STG_EXT.3.1
The TSF shall protectthe integrityof anyencryptedDEKsand KEKsand [long-term
trusted channel key material,all software-basedkey storage] by [
 [GCM]ciphermode for encryptionaccordingto FCS_STG_EXT.2
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
30 of 87
 a hash(FCS_COP.1(2)) ofthe stored key that is encrypted by a key protected by
FCS_STG_EXT.2
 a keyed hash (FCS_COP.1(4)) usingakey protected by a key protected by
FCS_STG_EXT.2].
FCS_STG_EXT.3.2
The TSF shall verifythe integrityof the [MAC] of the storedkeypriortouse of the key.
5.1.2.28 FCS_TLSC_EXT.1: Extended: TLS Protocol
FCS_TLSC_EXT.1.1
The TSF shall implementTLS1.2 (RFC5246) supportingthe followingciphersuites:
Mandatory Ciphersuites:[
 TLS_RSA_WITH_AES_128_CBC_SHA256 as definedin RFC 5246,
 TLS_RSA_WITH_AES_256_CBC_ SHA256 as definedin RFC 5246]
Optional Ciphersuites:[
 TLS_RSA_WITH_AES_256_GCM_SHA384 as defined inRFC 5288,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as definedin RFC 5289,
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as definedin RFC 5289,
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as definedin RFC 5289,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as definedin RFC 5289].
FCS_TLSC_EXT.1.2
The TSF shall verifythatthe presentedidentifiermatchesthe referenceidentifier
accordingto RFC 6125.
FCS_TLSC_EXT.1.3
The TSF shall not establishatrustedchannel if the peercertificate isinvalid.
FCS_TLSC_EXT.1.4
The TSF shall supportmutual authenticationusingX.509v3certificates.
5.1.2.29 FCS_TLSC_EXT.1/WLAN: Extended: Extensible Authentication Protocol-Transport Layer
Security - WLAN
FCS_TLSC_EXT.1.1/WLAN
The TSF shall implementTLS1.0 and[TLS 1.1 (RFC4346), TLS 1.2 (RFC 5246)] insupport
of the EAP-TLSprotocol as specifiedinRFC5216 supportingthe followingciphersuites:
Mandatory Ciphersuitesinaccordance withRFC5246:
 TLS_RSA_WITH_AES_128_CBC_SHA
Optional Ciphersuites:[
 TLS_RSA_WITH_AES_256_CBC_SHA as definedin RFC5246,
 TLS_RSA_WITH_AES_128_CBC_SHA256 as definedin RFC 5246,
 TLS_RSA_WITH_AES_256_CBC_ SHA256 as definedin RFC 5246,
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA as definedinRFC 5246,
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA as definedinRFC 5246,
 TLS_DHE_RSA_WITH_AES_128_CBC_SHA256 as definedin RFC 5246,
 TLS_DHE_RSA_WITH_AES_256_CBC_SHA256 as definedin RFC 5246,
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
31 of 87
 TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 as definedin RFC 5289,
 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 as definedin RFC 5289,
 TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 asdefined inRFC 5430,
 TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 asdefined inRFC 5430,
 TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA asdefined inRFC 4492,
 TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA asdefined inRFC 4492,
 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 as definedin RFC 5289,
 TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 as definedin RFC 5289].
FCS_TLSC_EXT.1.2/WLAN
The TSF shall generate randomvaluesusedinthe EAP-TLSexchange usingthe RBG
specifiedinFCS_RBG_EXT.1.
FCS_TLSC_EXT.1.3/WLAN
The TSF shall use X509 v3 certificatesasspecifiedinFIA_X509_EXT.1.
FCS_TLSC_EXT.1.4/WLAN
The TSF shall verifythatthe servercertificate presentedincludesthe Server
Authenticationpurpose (id-kp1withOID 1.3.6.1.5.5.7.3.1) inthe extendedKeyUsage
field.
FCS_TLSC_EXT.1.5/WLAN
The TSF shall allowanauthorizedadministratortoconfigure the listof CAsthatare
allowedtosignauthenticationservercertificatesthatare acceptedbythe TOE.
FCS_TLSC_EXT.1.6/WLAN
The TSF shall allowanauthorized administratortoconfigure the listof algorithmsuites
that may be proposedandacceptedduringthe EAP-TLSexchanges.
5.1.2.30 FCS_TLSC_EXT.2: Extended: TLS Protocol
FCS_TLSC_EXT.2.1
The TSF shall presentthe SupportedEllipticCurvesExtensioninthe ClientHello
handshake message withthe followingNISTcurves:[secp256r1, secp384r1].
(TD0244 applied)
5.1.2.31 FCS_TLSC_EXT.2/WLAN: TLS Client Protocol - WLAN
FCS_TLSC_EXT.2.1/WLAN
The TSF shall presentthe SupportedEllipticCurvesExtensioninthe ClientHellowiththe
followingNISTcurves:[secp256r1, secp384r1].
(TD0244 applied)
5.1.3 User Data Protection (FDP)
5.1.3.1 FDP_ACF_EXT.1: Extended: Security access control
FDP_ACF_EXT.1.1
The TSF shall provide amechanismtorestrictthe systemservicesthatare accessible to
an application.
FDP_ACF_EXT.1.2
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
32 of 87
The TSF shall provide anaccesscontrol policythatprevents[application,groupsof
applications] fromaccessing[all] datastoredbyother[application,groupsof
applications].Exceptionsmayonlybe explicitlyauthorizedforsuchsharingby[the
administrator,acommonapplicationdeveloper].
5.1.3.2 FDP_ACF_EXT.2: Extended: Security access control
FDP_ACF_EXT.2.1
The TSF shall provide aseparate [addressbook,calendar] foreach applicationgroup
and onlyallowapplicationswithinthatprocessgrouptoaccess the resource.Exceptions
may onlybe explicitlyauthorizedforsuchsharingby[the user].
5.1.3.3 FDP_ACF_EXT.3: Extended: Security attribute based access control
FDP_ACF_EXT.3.1
The TSF shall enforce anaccess control policythatprohibitsanapplicationfromgranting
bothwrite and execute permissiontoafile onthe device exceptfor[filesstoredinthe
application’sprivatedatafolder].
5.1.3.4 FDP_DAR_EXT.1: Extended: Protected Data Encryption
FDP_DAR_EXT.1.1
Encryptionshall coverall protecteddata.
FDP_DAR_EXT.1.2
Encryptionshall be performedusingDEKswithAESinthe [CBC,GCM,XTS] mode with
keysize [256] bits.
5.1.3.5 FDP_DAR_EXT.2: Extended: Sensitive Data Encryption
FDP_DAR_EXT.2.1
The TSF shall provide amechanismforapplicationstomark data andkeysas sensitive.
FDP_DAR_EXT.2.2
The TSF shall use an asymmetrickeyscheme toencryptandstore sensitive data
receivedwhile the productislocked.
FDP_DAR_EXT.2.3
The TSF shall encryptany storedsymmetrickeyandanystoredprivate keyof the
asymmetrickey(s) usedforthe protectionof sensitivedataaccordingto
FCS_STG_EXT.2.1 selection2.
FDP_DAR_EXT.2.4
The TSF shall decryptthe sensitive datathatwasreceivedwhile inthe lockedstate upon
transitioningtothe unlockedstate usingthe asymmetrickeyschemeandshall re-
encryptthat sensitivedatausingthe symmetrickeyscheme.
5.1.3.6 FDP_IFC_EXT.1: Extended: Subset information flow control
FDP_IFC_EXT.1.1
The TSF shall [providean interfacewhich allowsa VPNclient to protect all IP traffic
usingIPsec, providea VPN clientwhich canprotect all IP trafficusingIPsec] withthe
exceptionof IPtrafficrequiredtoestablishthe VPN connection.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
33 of 87
5.1.3.7 FDP_PBA_EXT.1: Extended: Storage of Critical Biometric Parameters
FDP_PBA_EXT.1.1
The TSF shall protectthe authenticationtemplate [usingapasswordasan additional
factor].
5.1.3.8 FDP_RIP.2: Full Residual Information Protection
FDP_RIP.2.1
The [TOE] shall enforce thatanypreviousinformationcontentof aresource ismade
unavailable uponthe [allocationof the resource to] all objects.
5.1.3.9 FDP_STG_EXT.1: Extended: User Data Storage
FDP_STG_EXT.1.1
The TSF shall provide protectedstorage forthe TrustAnchorDatabase.
5.1.3.10 FDP_UPC_EXT.1: Extended: Inter-TSF user data transfer protection
FDP_UPC_EXT.1.1
The TSF shall provide ameansfor non-TSFapplicationsexecutingonthe TOE to use TLS,
HTTPS, BluetoothBR/EDR,and[BluetoothLE, IPsec] to provide aprotected
communicationchannel betweenthe non-TSFapplicationandanotherITproductthat is
logicallydistinctfrom othercommunicationchannels,providesassuredidentificationof
itsendpoints,protectschannel datafromdisclosure,anddetectsmodificationof the
channel data.
FDP_UPC_EXT.1.2
The TSF shall permitthe non-TSFapplicationstoinitiate communicationviathe trusted
channel.
5.1.4 Identification and Authentication (FIA)
5.1.4.1 FIA_AFL_EXT.1: Extended: Authentication failure handling
FIA_AFL_EXT.1.1
The TSF shall considerpasswordand[noother] as critical authenticationmechanisms.
FIA_AFL_EXT.1.2
The TSF shall detectwhenaconfigurable positive integerwithin[1-30] of [non-unique]
unsuccessful authenticationattemptsoccurrelatedtolastsuccessful authenticationfor
each authenticationmechanism.2
FIA_AFL_EXT.1.3
The TSF shall maintainthe numberof unsuccessfulauthenticationattemptsthathave
occurredupon poweroff.
FIA_AFL_EXT.1.4
Whenthe definednumberof unsuccessfulauthenticationattemptshasexceededthe
maximumallowedforagivenauthenticationmechanism, all future authentication
2 Verizon S8/S9/Note8/Note9/Tab S4 devices only supporta maximum of 10 failed attempts at the crypt-lock
screen. All devices support a maximum of 30 failed attempts atthe Android (or Knox) lock screen.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
34 of 87
attemptswill be limitedtootheravailable authenticationmechanisms,unlessthe given
mechanismisdesignatedasa critical authenticationmechanism.
FIA_AFL_EXT.1.5
Whenthe definednumberof unsuccessfulauthenticationattemptsforthe lastavailable
authenticationmechanismorsingle critical authenticationmechanismhasbeen
surpassed,the TSFshall performawipe of all protecteddata.
FIA_AFL_EXT.1.6
The TSF shall incrementthe numberof unsuccessful authenticationattemptspriorto
notifyingthe userthatthe authenticationwasunsuccessful.
5.1.4.2 FIA_BLT_EXT.1: Extended: Bluetooth User Authorization
FIA_BLT_EXT.1.1
The TSF shall require explicituserauthorizationbeforepairingwitharemote Bluetooth
device.
5.1.4.3 FIA_BLT_EXT.2: Extended: Bluetooth Mutual Authentication
FIA_BLT_EXT.2.1
The TSF shall require Bluetoothmutualauthenticationbetweendevicespriortoany
data transferoverthe Bluetoothlink.
5.1.4.4 FIA_BLT_EXT.3: Extended: Rejection of Duplicate Bluetooth Connections
FIA_BLT_EXT.3.1
The TSF shall discardconnectionattemptsfromaBluetoothdevice address(BD_ADDR)
to whicha current connectionalreadyexists.
5.1.4.5 FIA_BLT_EXT.4: Extended: Secure Simple Pairing
FIA_BLT_EXT.4.1
The TOE shall supportBluetoothSecure SimplePairing,bothinthe hostandthe
controller.Furthermore,Secure SimplePairingshall be usedduringthe pairingprocessif
the remote device alsosupportsit.
5.1.4.6 FIA_BLT_EXT.6: Extended: Bluetooth User Authorization
FIA_BLT_EXT.6.1
The TSF shall require explicituserauthorizationbeforegrantingtrustedremote devices
access to servicesassociatedwiththe followingBluetoothprofiles:[OPP,MAP(MAP
not availableonTab S4)],and shall require explicituserauthorizationbefore granting
untrustedremote devicesaccesstoservicesassociatedwiththe followingBluetooth
profiles:[all availableBluetoothprofiles].
5.1.4.7 FIA_BMG_EXT.1(1): Extended: Accuracy of BiometricAuthentication
FIA_BMG_EXT.1(1).1
The one-attemptBAFFalse AcceptRate (FAR) for[fingerprint(notavailable onTab S4)]
shall notexceed[1:10,000] witha one-attemptBAFFalse RejectRate (FRR) notto
exceed[3%].
(TD0301 applied)
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
35 of 87
FIA_BMG_EXT.1(1).2
The overall SystemAuthenticationFalse AcceptRate (SAFAR) shallbe nogreaterthan1
in[1,000] withina1% margin.
5.1.4.8 FIA_BMG_EXT.1(2): Extended: Accuracy of BiometricAuthentication
FIA_BMG_EXT.1(2).1
The one-attemptBAFFalse AcceptRate (FAR) for[iris(notavailable on S10 devicesor
Fold)] shall notexceed[1:100,000] witha one-attemptBAFFalse RejectRate (FRR) not
to exceed[3%].
(TD0301 applied)
FIA_BMG_EXT.1(2).2
The overall SystemAuthenticationFalse AcceptRate (SAFAR) shallbe nogreaterthan1
in[10,000] withina1% margin.
5.1.4.9 FIA_BMG_EXT.1(3): Extended: Accuracy of BiometricAuthentication
FIA_BMG_EXT.1(3).1
The one-attemptBAFFalse AcceptRate (FAR) for[hybrid] shall notexceed[1:10,000]
witha one-attemptBAFFalse RejectRate (FRR) notto exceed[3%].
(TD0301 applied)
FIA_BMG_EXT.1(3).2
The overall SystemAuthenticationFalse AcceptRate (SAFAR) shallbe nogreaterthan1
in[1,000,000] withina 1% margin.
5.1.4.10 FIA_BMG_EXT.6: Extended: Spoof Detections for Biometrics
FIA_BMG_EXT.6.1
Refinement:The TSFshall performPresentationAttackDetectiontestinguptothe
attack potential of [intermediate] attacks,forthe fingerprintbiometricmodalityonthe
S10/S10+ oneach enrollmentandauthenticationattempt,rejectingdetectedspoofs.
Whenan authenticationattemptfailsdue toPADtesting,the TSFshall notindicate to
the userthe reasonforfailure toauthenticate.
5.1.4.11 FIA_PAE_EXT.1: Port Access Entity Authentication
FIA_PAE_EXT.1.1
The TSF shall conformto IEEE Standard 802.1X for a Port AccessEntity(PAE) inthe
'Supplicant'role.
5.1.4.12 FIA_PMG_EXT.1: Extended: Password Management
FIA_PMG_EXT.1.1
The TSF shall supportthe followingforthe PasswordAuthenticationFactor:
1. Passwordsshall be able tobe composedof anycombinationof [upperand lower
case letters], numbers,andspecial characters:[ ! @ # $ % ^ & * ( ) + = _ / - ' " : ; , ? `
~ \ | < > { } [ ] ];
2. Passwordlengthupto[16] charactersshall be supported.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
36 of 87
5.1.4.13 FIA_PSK_EXT.1: Extended: Pre-Shared Key Composition - VPN
FIA_PSK_EXT.1.1
The [TOE] shall be able to use pre-sharedkeysforIPsec.
FIA_PSK_EXT.1.2
The [TOE] shall be able to accepttext-basedpre-sharedkeysthat:
 are 22 characters and[[between 1 and 64 characters]];
 composedof anycombinationof upperandlowercase letters,numbers,andspecial
characters (thatinclude:'!','@', '#', '$', '%', '^', '&', '*', '(', and ')').
FIA_PSK_EXT.1.3
The [TOE] shall conditionthe text-basedpre-sharedkeysbyusing[[theentered string as
ASCIIHex]], [be ableto [accept] bit-basedpre-sharedkeys].
5.1.4.14 FIA_TRT_EXT.1: Extended: Authentication Throttling
FIA_TRT_EXT.1.1
The TSF shall limitautomateduserauthenticationattemptsby[enforcingadelay
between incorrect authenticationattempts] forall authenticationmechanismsselected
inFIA_UAU.5.1. The minimumdelayshallbe suchthatno more than 10 attemptscan be
attemptedper500 milliseconds.
5.1.4.15 FIA_UAU.5: Multiple Authentication Mechanisms
FIA_UAU.5.1
The TSF shall provide passwordand[fingerprint,iris,hybrid] tosupportuser
authentication.
FIA_UAU.5.2
The TSF shall authenticate anyuser'sclaimedidentityaccordingtothe [followingrules:
 Passwords
o Can be usedat any time
 Biometric
o Can only be used
 WhenWork environmentisnot enabledforthe device lock screen,
 Whenthere is an enrolledbiometric,
 Whenthe user enablesthe allow biometricsfor unlock feature,
 The non-critical biometricfailedlimithas not beenreached,and
 At device lock screen(not at the first lock screenafter reboot/power-up)
 Hybrid
o For Work environmentsunlockand hybrid authenticationfactor configuredby
the user
].
5.1.4.16 FIA_UAU.6(1): Re-Authentication
FIA_UAU.6(1).1
The TSF shall re-authenticatethe userviathe PasswordAuthenticationFactorunderthe
conditionsattemptedchange toanysupportedauthenticationmechanisms.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
37 of 87
5.1.4.17 FIA_UAU.6(2): Re-Authentication
FIA_UAU.6(2).1
The TSF shall re-authenticatethe userviaanauthenticationfactordefinedin
FIA_UAU.5.1 underthe conditionsTSF-initiatedlock,user-initiatedlock,[noother
conditions].
5.1.4.18 FIA_UAU.7: Protected authentication feedback
FIA_UAU.7.1
The TSF shall provide onlyobscuredfeedbacktothe device'sdisplayto the userwhile
the authenticationisinprogress.
5.1.4.19 FIA_UAU_EXT.1: Extended: Authentication for Cryptographic Operation
FIA_UAU_EXT.1.1
The TSF shall require the usertopresentthe PasswordAuthenticationFactorpriorto
decryptionof protecteddataandencryptedDEKs,KEKsand [long-termtrustedchannel
key material, all software-basedkey storage] at startup.
5.1.4.20 FIA_UAU_EXT.2: Extended: Timing of Authentication
FIA_UAU_EXT.2.1
The TSF shall allow[[enterpasswordor supplybiometric authenticationfactorto
unlock,make emergency calls,receive calls,take pictures andscreen shots
(automaticallynamedandstoredinternallyby the TOE), turn the TOE off,restart the
TOE, see notifications,configuresound/vibrate/mute,setthe volume(upand down)
for various soundcategories,see the configuredbanner,access NotificationPanel
functions(includingtogglesAlwaysonDisplay,Flashlight,Donotdisturb toggle,
Airplanemode, Power saving,Autorotate, and Sound(on,mute, vibrate),access user
configuredEdge applications (EdgeapplicationsnotavailableonS8 Active, Tab S4,
S10e or Fold devices) andnotificationsfromDirect Boot-aware apps]] onbehalf of the
userto be performed before the userisauthenticated.
FIA_UAU_EXT.2.2
The TSF shall require each userto be successfullyauthenticatedbefore allowingany
otherTSF-mediatedactionsonbehalf of thatuser.
5.1.4.21 FIA_UAU_EXT.4: Extended: Secondary User Authentication
FIA_UAU_EXT.4.1
The TSF shall provide asecondaryauthenticationmechanismforaccessingEnterprise
applicationsandresources.The secondaryauthenticationmechanismshallcontrol
access to the Enterprise applicationandsharedresourcesandshall be incorporatedinto
the encryptionof protectedandsensitive databelongingtoEnterprise applicationsand
sharedresources.
FIA_UAU_EXT.4.2
The TSF shall require the usertopresentthe secondaryauthenticationfactorpriorto
decryptionof Enterprise applicationdataandEnterprise sharedresource data.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
38 of 87
5.1.4.22 FIA_X509_EXT.1: Extended: Validation of certificates
FIA_X509_EXT.1.1
The TSF shall validate certificatesinaccordance withthe followingrules:
 RFC 5280 certificate validationandcertificate pathvalidation
 The certificate pathmustterminate withacertificate inthe TrustAnchorDatabase
 The TSF shall validate acertificate pathbyensuringthe presence of the
basicConstraintsextensionandthatthe CA flagis setto TRUE for all CA certificates
 The TSF shall validate the revocationstatusof the certificate using[theOnline
CertificateStatus Protocol (OCSP) as specifiedinRFC 2560 (forTLS, HTTPS, IPsec), a
CertificateRevocation List (CRL) as specifiedin RFC 5759 (forTLS, HTTPS)]
 The TSF shall validate the extendedKeyUsagefieldaccordingtothe followingrules:
o Certificatesusedfortrusted updatesandexecutable code integrityverification
shall have the Code Signingpurpose (id-kp3withOID1.3.6.1.5.5.7.3.3) in the
extendedKeyUsage field
o ServercertificatespresentedforTLSshall have the ServerAuthentication
purpose (id-kp1withOID1.3.6.1.5.5.7.3.1) inthe extendedKeyUsage field
o (Conditional) ServercertificatespresentedforESTshall have the CMC
RegistrationAuthority(RA) purpose(id-kp-cmcRA withOID1.3.6.1.5.5.7.3.28) in
the extendedKeyUsage field
FIA_X509_EXT.1.2
The TSF shall onlytreata certificate asa CA certificate if the basicConstraintsextension
ispresentandthe CA flagis setto TRUE.
5.1.4.23 FIA_X509_EXT.2: Extended: X509 certificate authentication
FIA_X509_EXT.2.1
The TSF shall use X.509v3 certificatesasdefinedbyRFC 5280 to supportauthentication
for IPsec,and[TLS, HTTPS], and[no additional uses].
FIA_X509_EXT.2.2
Whenthe TSF cannot establishaconnectiontodetermine the validityof acertificate,
the TSF shall [notaccept the certificate].
5.1.4.24 FIA_X509_EXT.2/WLAN: Extended: X.509 Certificate Authentication (EAP-TLS) - WLAN
FIA_X509_EXT.2.1/WLAN
The TSF shall use X.509v3 certificatesasdefinedbyRFC5280 to supportauthentication
for EAP-TLSexchanges.
FIA_X509_EXT.2.2/WLAN
Whenthe TSF cannot establisha connectiontodetermine the validityof acertificate,
the TSF shall [acceptthe certificate].
5.1.4.25 FIA_X509_EXT.3: Extended: Request Validation of certificates
FIA_X509_EXT.3.1
The TSF shall provide acertificate validationservice toapplications.
FIA_X509_EXT.3.2
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
39 of 87
The TSF shall respondtothe requestingapplicationwiththe successorfailure of the
validation.
5.1.5 Security Management (FMT)
5.1.5.1 FMT_MOF_EXT.1: Extended: Management of security functions behavior
FMT_MOF_EXT.1.1
The TSF shall restrictthe abilitytoperformthe functions incolumn3 of Table 8 -
SecurityManagementFunctions tothe user.
FMT_MOF_EXT.1.2
The TSF shall restrictthe abilitytoperformthe functionsincolumn5 of Table 8 -
SecurityManagementFunctions tothe administratorwhenthe device isenrolledand
accordingto the administrator-configuredpolicy.
5.1.5.2 FMT_SMF_EXT.1: Extended: Specification of Management Functions
FMT_SMF_EXT.1.1
The TSF shall be capable of performingthe functions incolumn2 of Table 8 - Security
ManagementFunctions.
5.1.5.3 FMT_SMF_EXT.1/WLAN: Extended: Specification of Management Functions - WLAN
FMT_SMF_EXT.1.1/WLAN
The TSF shall be capable of performingthe followingmanagementfunctions inrows48-
55 of Table 8 - SecurityManagementFunctions.
5.1.5.4 FMT_SMF.1/VPN: Specification of Management Functions - VPN
FMT_SMF.1.1/VPN
The TSF shall be capable of performingthe followingmanagementfunctions inrows56-
61 of Table 8 - SecurityManagementFunctions.
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
1. configurepassword policy:
a. minimum password length
b. minimum password complexity
c. maximum password lifetime
The administrator can configurethe required password characteristics(minimum
length, complexity, and lifetime) usingthe Android MDM APIs.
There are distinctsettings for the passwords used to unlock the basedevice and
Knox Workspacecontainer.
Length: an integer valueof characters (0 = no minimum)
M M M
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
40 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
Complexity: Unspecified, Something, Numeric, Alphabetic,Alphanumeric,Complex.
Lifetime: an integer valueof days (0 = no maximum)
2. configuresession lockingpolicy:
a. screen-lock enabled/disabled
b. screen lock timeout
c. number of authentication failures
The administrator can configurethe session lockingpolicy usingtheAndroid MDM
APIs. There are distinctsettings for basedevice and Knox Workspacecontainer
inactivity.
The user can also adjusteach of the session lockingpolicies for the basedevice and
Knox Workspacecontainer;however, if set by the administrator,the user can only
set a more strictpolicy (e.g., setting the device to allowfewer authentication failures
than configured by the administrator).
Screen lock timeout: an integer number of minutes before the TOE locks (0 = no lock
timeout)
Authentication failures:an integer number (0 = no limit)
M M M
3. enable/disabletheVPN protection:
a. across device
[
b. on a per-app basis,
c. on a per-group of applications processes basis
]
The user can configureand then enablethe TOE’s VPN to protect traffic acrossthe
entire device.
The administrator (through an MDM Agent that utilizes the TOE’s MDM APIs) can
restrictthe TOE’s ability to connect to a VPN.
The administrator can configureper-app and per-container VPN connections with
the Knox WorkspaceMDM APIs.
M I I
4. enable/disable[NFC3,Bluetooth, Wi-Fi, and cellular radios]
The administrator can disablethe radios usingthe TOE’s MDM APIs. Once disabled,
a user cannot enablethe radio.The administrator cannotfully disable/restrict
cellular voicecapabilities.TheTOE’s radios operateat frequencies of 2.4 GHz
(NFC/Bluetooth), 2.4/5 GHz (Wi-Fi),and 850 MHz (4G/LTE).
M I I
5. enable/disable[camera, microphone]:
a. across device
[ d. no other method]
M I I
3 Samsung Galaxy Tab S3 and Tab S4 devices do not have NFC radios
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
41 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
An administrator may configurethe TOE (through an MDM agent utilizingthe TOE’s
MDM APIs) to turn off the camera and or microphones.If the administrator has
disabled either the camera or the microphones, then the user cannot use those
capture devices.
The administrator can also disablethe useof the camera or microphone insidea
Knox Workspacecontainer without affectingaccess to those devices when outside
the container.
6. transition to the locked state
Both users and administrators(usingtheTOE’s MDM APIs) can transition theTOE
into a locked state.
M M -
7. TSF wipe of protected data
Both users and administrators(usingtheTOE’s MDM APIs) can force the TOE to
perform a full wipe (factory reset) of data.
M M
8. configureapplication installation policy by:
a. restricting the sources of applications
[b. specifying a set of allowed applications based on [application name,
developer signature] (an application whitelist)
c. denying installation of applications]
The administrator usingtheTOE’s MDM APIs can configurethe TOE so that
applicationscannotbe installed and can also block the use of the Google Market
Place.There are distinctsettings for disablingtheinstallation of applicationsfor the
basedevice and Knox Workspacecontainer.
M M M
9. import keys/secrets into the secure key storage
Both users and administrators(usingtheTOE’s MDM APIs) can import secret keys
into the secure key storage.
M I
10. destroy imported keys/secrets and [no other keys/secrets] in the secure key
storage
Both users and administrators(usingtheTOE’s MDM APIs) can destroy secret keys
in the secure key storage.
M I
11. import X.509v3 certificates into the Trust Anchor Database
Both users and administrators(usingtheTOE’s MDM APIs) can import X.509v3
certificates into the Trust Anchor Database(note that the container does not have a
separateTAD, but instead shares the TAD of the mobile device).
M M
12. remove imported X.509v3 certificates and [default X.509v3 certificates] in the
Trust Anchor Database
Both users and administrators(usingtheTOE’s MDM APIs) can remove imported
X.509v3 certificates from the Trust Anchor Databaseas well as disableany of the
TOE’s default Root CA certificates (in the latter case,the CA certificatestill resides in
M I
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
42 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
the TOE’s read-only system partition;however, the TOE will treat that Root CA
certificateand any certificatechainingto itas untrusted).
13. enroll the TOE in management
TOE users can enroll the TOE in management accordingto the instructions specific
to a given MDM. Presumably any enrollment would involveat leastsome user
functions (e.g., install an MDMagent application) on the TOE prior to enrollment.
M M
14. remove applications
Both users and administrators(usingtheTOE’s MDM APIs) can uninstall user and
administrator installed applicationson the TOE (non-container) and applications
insidea Knox Workspacecontainer.
M M
15. update system software
Users can check for updates and causethe device to update if an update is available.
An administrator can useMDM APIs to query the version of the TOE and query the
installed applicationsand an MDM agent on the TOE could issuepop-ups,initiate
updates, block communication,etc. until any necessary updates are completed.
Note that the system software covers the entire mobile device (includingall
container software).
M M
16. install applications
Both users and administrators(usingtheTOE’s MDM APIs) can install applications
on the TOE (non-container) and applicationsinsidea Knox Workspacecontainer.
M M
17. remove Enterprise applications
Both users and administrators(usingtheTOE’s MDM APIs) can uninstall user and
administrator installed applicationson the TOE (non-container) and applications
insidea Knox Workspacecontainer.Applications installed within the Knox
Workspacearemarked as Enterprise(Work) applications
M M
18. configurethe Bluetooth trusted channel:
a. disable/enabletheDiscoverablemode (for BR/EDR)
b. change the Bluetooth device name
[ e. allow/disallow Android Beam and S-Beam to be used with Bluetooth
]
TOE users can enableBluetooth discoverablemode for a short period of time and
can also changethe device name which is used for the Bluetooth name. Additional
wireless technologies includeAndroid Beam and S-Beam which are related to NFC
and can be enabled and disabled by the TOE user. Bluetooth profiles (notservices)
can be managed on the device by the administrator.The administrator can restrict
only items a, e, and h.
M
19. enable/disabledisplay notification in the locked state of: [
f. all notifications]
TOE users can configurethe TOE to allowor disallownotificationswhilein a locked
M
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
43 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
state.
20. enable data-atrest protection
The TOE meets this management function in the sense that the TOE always encrypts
data-at-rest. Devices shippingwith Android 6.0 or higher encrypt the user data
partition by default and one cannot disablethe encryption. This device behavior
matches the administrator enablingdata-at-restprotection and then preventing the
user from alteringit.
M I I
21. enable removable media’s data-at-restprotection
The administrator (usingtheTOE’s MDM APIs) can configurea device removable
media encryption policy.Once enabled, the device will prompt a user to encrypt a
newly inserted external SD cards (and the device will then encrypt any files present
after which the device can use the SD Card). If the user chooses not to encrypt the
newly inserted external SD card,then the device cannot access the SD Card. If the
administrator has setthe policy to force encrypt removable media, then the settings
option to decrypt the SD Card is greyed out and the user cannot decrypt the SD
Card.
M I I
22. enable/disablelocation services:
a. across device
[ d. no other method]
The administrator (usingtheTOE’s MDM APIs) can disablelocation services.
Unless disabled by the administrator,TOE users can enableand disablelocation
services.
M I I
23. enable/disabletheuse of [Fingerprint, Iris, Hybrid Authentication]
The TOE supports disablingBiometric authentication for the both the TOE’s normal
device lockscreen and for the TOE’s Knox Workspacecontainer lockscreen.The
TOE’s normal device lockscreen supports fingerprintand iris,which the
administrator can disable.The TOE’s Knox Workspacecontainer supports hybrid
authentication (combination of password and fingerprints or iris),which the
administrator can also disable.
M I I
24. enable/disableall data signalingover [assignment:list of externally accessible
hardware ports]
25. enable/disable[Wi-Fitethering, USB tethering,and Bluetooth tethering]4
The administrator (usingtheTOE’s MDM APIs) can individually disableeach
tethering method.
Unless disabled by the administrator,TOE users can individually enableand disable
tethering via a Wi-Fi hotspot, USB connection, and Bluetooth pairing.
I I I
4 Not all devices supportall (or any) options for tethering. Many carriers requireadditional subscriptions/payments
to enabletethering features on the device.
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
44 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
The TOE acts as a server (actingas an access point,a USB Ethernet adapter, and as a
Bluetooth Ethernet adapter respectively) in order to shareits network connection
with another device.
26. enable/disabledeveloper modes
The administrator (usingtheTOE’s MDM APIs) can disableDeveloper Mode.
Unless disabled by the administrator,TOE users can enableand disableDeveloper
Mode.
I I I
27. enable/disablebypassof local user authentication I I I
28. wipe Enterprise data
The TOE container provides the ability to remove only Enterprise data versus user
data.
I
29. approve [import] by applicationsof X.509v3 certificates in theTrust Anchor
Database
The TOE will prompt the User to approve requests by an application to importan
X.509v3 CA Certificateinto the TOE’s TrustAnchor Database.The User, when
prompted, can allowor deny the import.
30. configurewhether to establish a trusted channel or disallowestablishment if
the TSF cannotestablish a connection to determine the validity of a certificate
31. enable/disablethecellular protocolsused to connect to cellular network base
stations
32. read auditlogs kept by the TSF
The administrator (usingMDMAPIs) can view the TOE’s auditrecords.
I I
33. configure[selection: certificate, public-key] used to validatedigital signatureon
applications
34. approve exceptions for shared use of keys/secrets by multipleapplications
35. approve exceptions for destruction of keys/secrets by applicationsthatdid not
import the key/secret
36. configurethe unlock banner
The administrator (usingtheTOE’s MDM APIs) can defined a banner of a maximum
of 256 characters to be displayed whilethe TOE is locked.There is no method for the
user to change the banner.
I I I
37. configurethe auditableitems I I I
38. retrieve TSF-software integrity verification values
39. enable/disable[
a. USB mass storage mode]
The administrator (usingtheTOE’s MDM APIs) can disableUSB mass storagemode.
I I I
40. enable/disablebackup of [selection: all applications, selected applications,
selected groups of applications, configuration data] to [selection: local system,
remote system]
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
45 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
41. enable/disable[
a. Hotspot functionality authenticated by [pre-shared key],
b. USB tethering authenticated by [no authentication]]
The administrator (usingtheTOE’s MDM APIs) can disabletheWi-Fi hotspot and
USB tethering.
Unless disabled by the administrator,TOE users can configurethe Wi-Fi hotspotwith
a pre-shared key and can configureUSB tethering (with no authentication).
I I I
42. approve exceptions for sharingdata between [groups of application processes]
The TOE container provides separation between groups of application processes
alongwith the ability to control the ability to sharedata between these groups
I I
43. placeapplicationsinto application processgroups based on [assignment:
enterprise configuration settings]
44. unenroll the TOE from management I I I
45. Enable/disabletheAlways On VPN protection
Android’s DPM API of setAlwaysOnVpnPackageallows an MDMAgent actingas
either a device or profileowner to configurean always-on VPN connection through a
specific VPNapplication for thecurrent user.
I I I
46. Revoke Biometric template
47. [enable/disable USB host storage
disable CC Mode
enable/disable Admin removal
enable/disable manual Date/Time changes
enable/disable applications (including pre-installed)
enable/disable auto-completion of browser text input
configure whitelist/blacklist of allowed email accounts]
The user can always disableCC Mode by entirely wipingthe device (factory reset), as
this will return the phone to its factory state (in which CC Mode has not been
enabled)
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
I
FMT_SMF_EXT.1(1)/WLAN
48. configuresecurity policy for each wireless network:
a. [specify the CA(s) from which the TSF will accept WLAN
authentication server certificate(s)]
b. security type
c. authentication protocol
d. clientcredentials to be used for authentication;
M M I
49. specify wireless networks (SSIDs) to which the TSF may connect; I I I
50. enable/disablecertificaterevocation listchecking;
51. disablead hoc wireless client-to-clientconnection capability;
52. disablewirelessnetwork bridgingcapability (for example, bridginga connection
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
46 of 87
ManagementFunction
FMT_SMF_EXT.1.1
FMT_MOF_EXT.1.1
Admin
FMT_MOF_EXT.1.2
between the WLAN and cellular radioson a smartphone so it can function as a
hotspot);
53. disableroamingcapability
54. enable/disableIEEE802.1X pre-authentication
55. enable/disableand configurePMK caching
a. set the amount of time (in minutes) for which PMK entries are cached
b. set the maximum number of PMK entries that can be cached
FMT_SMF.1/VPN
56. Specify VPN gateways to use for connections I
57. Specify IPsec VPN Clients to usefor connections
58. Specify IPsec-capablenetwork devices to use for connections
59. Specify clientcredentials to be used for connections M
60. Configure the reference identifier of the peer M
61. [any additional VPNmanagement functions]
Table 8 - Security Management Functions
5.1.5.5 FMT_SMF_EXT.2: Extended: Specification of Remediation Actions
FMT_SMF_EXT.2.1
The TSF shall offer[wipeofprotected data,wipe of sensitivedata,remove Enterprise
applications,removeall device-storedEnterprise resource data,remove Enterprise
secondaryauthenticationdata] uponunenrollmentand[noothertriggers].
(TD0346 applied)
5.1.5.6 FMT_SMF_EXT.3: Extended: Current Administrator
FMT_SMF_EXT.3.1
The TSF shall provide amechanismthatallowsuserstoview alistof currently
authorizedadministratorsandthe managementfunctionsthateach administratoris
authorizedtoperform.
5.1.6 Protection of the TSF (FPT)
5.1.6.1 FPT_AEX_EXT.1: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.1.1
The TSF shall provide addressspace layoutrandomizationASLRtoapplications.
FPT_AEX_EXT.1.2
The base addressof anyuser-space memorymappingwill consistof atleast8
unpredictablebits.
Status Markers:
M – Mandatory
I – Implementedoptional
function
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
47 of 87
5.1.6.2 FPT_AEX_EXT.2: Extended: Anti-Exploitation Services (Memory Page Permissions)
FPT_AEX_EXT.2.1
The TSF shall be able to enforce read,write,andexecute permissionsoneverypage of
physical memory.
5.1.6.3 FPT_AEX_EXT.3: Extended: Anti-Exploitation Services (Overflow Protection)
FPT_AEX_EXT.3.1
TSF processesthatexecute inanon-privilegedexecutiondomainonthe application
processorshall implementstack-basedbufferoverflow protection.
5.1.6.4 FPT_AEX_EXT.4: Extended: DomainIsolation
FPT_AEX_EXT.4.1
The TSF shall protectitself frommodificationbyuntrustedsubjects.
FPT_AEX_EXT.4.2
The TSF shall enforce isolationof addressspace betweenapplications.
5.1.6.5 FPT_AEX_EXT.5: Extended: Anti-Exploitation Services (ASLR)
FPT_AEX_EXT.5.1
The TSF shall provide addressspace layoutrandomization(ASLR) tothe kernel.
FPT_AEX_EXT.5.2
The base addressof anykernel-space memorymappingwill consistof atleast4
unpredictablebits.
5.1.6.6 FPT_AEX_EXT.6: Extended: Anti-Exploitation Services (Memory Page Permissions)
FPT_AEX_EXT.6.1
The TSF shall preventwrite andexecute permissionsfrombeingsimultaneouslygranted
to any page of physical memory[excludingmemoryusedfor JIT (just-in-time)
compilationandmemoryallocatedwith mmap].
5.1.6.7 FPT_BBD_EXT.1: Extended: Application Processor Mediation
FPT_BBD_EXT.1.1
The TSF shall preventcode executingonanybasebandprocessor(BP) fromaccessing
applicationprocessor(AP)resourcesexceptwhenmediatedbythe AP.
5.1.6.8 FPT_JTA_EXT.1: Extended: JTAGDisablement
FPT_JTA_EXT.1.1
The TSF shall [control access by a signingkey] to JTAG.
5.1.6.9 FPT_KST_EXT.1: Extended: Key Storage
FPT_KST_EXT.1.1
The TSF shall not store anyplaintextkeymaterial inreadable non-volatile memory.
5.1.6.10 FPT_KST_EXT.2: Extended: No Key Transmission
FPT_KST_EXT.2.1
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
48 of 87
The TSF shall not transmitanyplaintextkeymaterialoutside the securityboundaryof
the TOE.
5.1.6.11 FPT_KST_EXT.3: Extended: No Plaintext Key Export
FPT_KST_EXT.3.1
The TSF shall ensure itisnot possible forthe TOEuser(s) toexportplaintextkeys.
5.1.6.12 FPT_NOT_EXT.1: Extended: Self-Test Notification
FPT_NOT_EXT.1.1
The TSF shall transitiontonon-operational mode and[forceUserauthenticationfailure]
whenthe followingtypesof failuresoccur:
 failuresof the self-test(s)
 TSF software integrityverificationfailures
 [noother failures].
5.1.6.13 FPT_STM.1: Reliable time stamps
FPT_STM.1.1
The TSF shall be able to provide reliable timestampsforitsownuse.
5.1.6.14 FPT_TST_EXT.1: Extended: TSF CryptographicFunctionality Testing
FPT_TST_EXT.1.1
The TSF shall run a suite of self-testsduringinitial start-up(onpoweron) to
demonstrate the correctoperationof all cryptographicfunctionality.
5.1.6.15 FPT_TST_EXT.1/WLAN: Extended: TSF CryptographicFunctionality Testing - WLAN
FPT_TST_EXT.1.1/WLAN
The [TOE platform] shall runa suite of self-testsduringinitial start-up(onpoweron) to
demonstrate the correctoperationof the TSF.
FPT_TST_EXT.1.2/WLAN
The [TOE platform] shall providethe capabilitytoverifythe integrityof storedTSF
executable code whenitisloadedforexecutionthroughthe use of the TSF-provided
cryptographicservices.
5.1.6.16 FPT_TST_EXT.1/VPN: Extended: TSF SelfTest - VPN
FPT_TST_EXT.1.1/VPN
The [TOE Platform] shall runa suite of self -testsduringinitialstart-up(onpoweron) to
demonstrate the correctoperationof the TSF.
FPT_TST_EXT.1.2/VPN
The [TOE, TOE Platform] shall provide the capabilitytoverifythe integrityof storedTSF
executable code whenitisloadedforexecutionthroughthe use of the [cryptographic
signature and hash for integrity].
5.1.6.17 FPT_TST_EXT.2(1): Extended: TSF Integrity Checking
FPT_TST_EXT.2(1).1
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
49 of 87
The TSF shall verifythe integrity of the bootchainupthroughthe ApplicationProcessor
OS kernel storedinmutable mediapriortoitsexecutionthroughthe use of [an
immutablehardwarehash ofan asymmetric key].
5.1.6.18 FPT_TST_EXT.2(2): Extended: TSF Integrity Checking
FPT_TST_EXT.2(2).1
The TSF shall verifythe integrityof [[the/systempartition]],storedinmutable media
priorto its executionthroughthe use of [hardware-protectedhash].
5.1.6.19 FPT_TUD_EXT.1: Extended: Trusted Update: TSF version query
FPT_TUD_EXT.1.1
The TSF shall provide authorizedusersthe abilitytoquerythe currentversionof the
TOE firmware/software.
FPT_TUD_EXT.1.2
The TSF shall provide authorizedusersthe abilitytoquerythe currentversionof the
hardware model of the device.
FPT_TUD_EXT.1.3
The TSF shall provide authorizedusersthe abilitytoquerythe currentversionof
installedmobileapplications.
5.1.6.20 FPT_TUD_EXT.2: Extended: TSF Update Verification
FPT_TUD_EXT.2.1
The TSF shall verifysoftware updatestothe ApplicationProcessorsystemsoftware and
[[communicationsprocessorsoftware,bootloadersoftware,carrierspecific
configuration]] usingadigital signature verifiedbythe manufacturertrustedkeyprior
to installingthoseupdates.
FPT_TUD_EXT.2.2
The TSF shall [updateonlyby verified software] the TSF bootintegrity[key,hash].
FPT_TUD_EXT.2.3
The TSF shall verifythatthe digital signature verificationkeyusedforTSFupdates
[matchesan immutablehardwarepublickey].
FPT_TUD_EXT.2.4
The TSF shall verifymobileapplicationsoftware usingadigital signature mechanism
priorto installation.
5.1.7 TOE Access (FTA)
5.1.7.1 FTA_SSL_EXT.1: Extended: TSF- and User-initiated LockedState
FTA_SSL_EXT.1.1
The TSF shall transitiontoa lockedstate aftera time interval of inactivity.
FTA_SSL_EXT.1.2
The TSF shall transitionto a lockedstate afterinitiationbyeitherthe userorthe
administrator.
FTA_SSL_EXT.1.3
The TSF shall,upontransitioningtothe lockedstate,performthe followingoperations:
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
50 of 87
a. clearingoroverwritingdisplaydevices,obscuringthe previouscontents;
b. [no otheractions].
5.1.7.2 FTA_TAB.1: Default TOE Access Banners
FTA_TAB.1.1
Before establishingausersession,the TSFshall displayanadvisorywarningmessage
regardingunauthorizeduse of the TOE.
5.1.7.3 FTA_WSE_EXT.1: Wireless Network Access
FTA_WSE_EXT.1.1
The TSF shall be able to attemptconnectionsonlytowirelessnetworksspecifiedas
acceptable networksasconfiguredbythe administratorinFMT_SMF_EXT.1.1/WLAN.
5.1.8 Trusted Path/Channels (FTP)
5.1.8.1 FTP_ITC_EXT.1: Extended: Trusted channel Communication
FTP_ITC_EXT.1.1
The TSF shall use 802.11-2012, 802.1X, and EAP-TLS,IPsecand[TLS, HTTPS] protocol to
provide acommunicationchannel betweenitself andanothertrustedITproductthatis
logicallydistinctfromothercommunicationchannels,providesassuredidentificationof
itsendpoints,protectschannel datafromdisclosure,anddetectsmodificationof the
channel data.
FTP_ITC_EXT.1.2
The TSF shall permitthe TSF to initiate communicationviathe trustedchannel.
FTP_ITC_EXT.1.3
The TSF shall initiate communicationviathe trustedchannelforwirelessaccesspoint
connections,administrative communication,configuredenterprise connections,and[no
other connections].
5.1.8.2 FTP_ITC_EXT.1/WLAN: Trusted Channel Communication - WLAN
FTP_ITC_EXT.1.1/WLAN
The TSF shall use 802.11-2012, 802.1X, and EAP-TLSto provide atrustedcommunication
channel betweenitself andawirelessaccesspointthatislogicallydistinctfromother
communicationchannels,providesassuredidentificationof itsendpoints,protects
channel datafrom disclosure,anddetectsmodificationof the channel data.
FTP_ITC_EXT.1.2/WLAN
The TSF shall initiate communicationviathe trustedchannelforwirelessaccesspoint
connections.
5.2 TOE SecurityAssurance Requirements
The SARs forthe TOE are the EAL 1 augmentedwithALC_TSU_EXT.1componentsasspecifiedinPart3
of the CommonCriteria.Note thatthe SARshave effectivelybeenrefinedwiththe assurance activities
explicitlydefinedinassociationwithboththe SFRsandSARs.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
51 of 87
5.2.1 Development (ADV)
5.2.1.1 ADV_FSP.1: BasicFunctional Specification
ADV_FSP.1.1d
The developershallprovideafunctional specification.
ADV_FSP.1.2d
The developershallprovideatracingfrom the functional specificationtothe SFRs.
ADV_FSP.1.1c
The functional specificationshall describe the purposeandmethodof use foreachSFR-
enforcingandSFR-supportingTSFI.
ADV_FSP.1.2c
The functional specificationshall identifyall parametersassociatedwitheachSFR-
enforcingandSFR-supportingTSFI.
ADV_FSP.1.3c
The functional specificationshall provide rationale forthe implicitcategorizationof
interfacesasSFR-non-interfering.
ADV_FSP.1.4c
The tracing shall demonstrate thatthe SFRstrace to TSFIsinthe functional specification.
ADV_FSP.1.1e
The evaluatorshall confirmthatthe information providedmeetsall requirementsfor
contentand presentationof evidence.
ADV_FSP.1.2e
The evaluatorshall determine thatthe functional specificationisanaccurate and
complete instantiationof the SFRs.
5.2.2 Guidance Documents (AGD)
5.2.2.1 AGD_OPE.1: Operational User Guidance
AGD_OPE.1.1d
The developershallprovideoperational userguidance.
AGD_OPE.1.1c
The operational userguidance shall describe,foreachuserrole,the user-accessible
functionsandprivilegesthatshouldbe controlledinasecure processingenvironment,
includingappropriatewarnings.
AGD_OPE.1.2c
The operational userguidance shall describe,foreachuserrole,how touse the
available interfacesprovidedbythe TOEin a secure manner.
AGD_OPE.1.3c
The operational userguidance shall describe, foreachuserrole,the availablefunctions
and interfaces,inparticularall securityparametersunderthe control of the user,
indicatingsecure valuesasappropriate.
AGD_OPE.1.4c
The operational userguidance shall,foreachuserrole,clearlypresent eachtype of
security-relevanteventrelative tothe user-accessible functionsthatneedtobe
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
52 of 87
performed,includingchangingthe securitycharacteristicsof entitiesunderthe control
of the TSF.
AGD_OPE.1.5c
The operational userguidance shall identify all possible modesof operationof the TOE
(includingoperationfollowingfailure oroperationalerror),theirconsequences,and
implicationsformaintainingsecure operation.
AGD_OPE.1.6c
The operational userguidance shall,foreachuserrole,describe the securitymeasures
to be followedinordertofulfill the securityobjectivesforthe operationalenvironment
as describedinthe ST.
AGD_OPE.1.7c
The operational userguidance shall be clearandreasonable.
AGD_OPE.1.1e
The evaluatorshall confirmthat the informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
5.2.2.2 AGD_PRE.1: Preparative Procedures
AGD_PRE.1.1d
The developershallprovidethe TOE,includingitspreparative procedures.
AGD_PRE.1.1c
The preparative proceduresshall describeall the stepsnecessaryforsecure acceptance
of the deliveredTOEinaccordance withthe developer'sdeliveryprocedures.
AGD_PRE.1.2c
The preparative proceduresshall describeall the stepsnecessaryforsecure installation
of the TOE and for the secure preparationof the operational environmentinaccordance
withthe securityobjectivesforthe operationalenvironmentasdescribedinthe ST.
AGD_PRE.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
AGD_PRE.1.2e
The evaluatorshall applythe preparative procedurestoconfirmthatthe TOE can be
preparedsecurelyforoperation.
5.2.3 Life-cycle Support (ALC)
5.2.3.1 ALC_CMC.1: Labelling of the TOE
ALC_CMC.1.1d
The developershallprovidethe TOEand a reference forthe TOE.
ALC_CMC.1.1c
The TOE shall be labelledwithitsunique reference.
ALC_CMC.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
53 of 87
5.2.3.2 ALC_CMS.1: TOE CM Coverage
ALC_CMS.1.1d
The developershallprovideaconfigurationlistforthe TOE.
ALC_CMS.1.1c
The configurationlistshall include the following:the TOEitself;andthe evaluation
evidence requiredbythe SARs.
ALC_CMS.1.2c
The configuration listshall uniquelyidentifythe configurationitems.
ALC_CMS.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
5.2.3.3 ALC_TSU_EXT.1: Timely Security Updates
ALC_TSU_EXT.1.1d
The developershallprovideadescriptioninthe TSSof how timelysecurityupdatesare
made to the TOE.
ALC_TSU_EXT.1.1c
The descriptionshall include the processforcreatinganddeployingsecurityupdatesfor
the TOE software.
ALC_TSU_EXT.1.2c
The descriptionshall expressthe time windowasthe lengthof time,indays,between
publicdisclosure of avulnerabilityandthe publicavailabilityof securityupdatestothe
TOE.
ALC_TSU_EXT.1.3c
The descriptionshall include the mechanismspubliclyavailableforreportingsecurity
issuespertainingtothe TOE.
ALC_TSU_EXT.1.4c
The descriptionshall include where userscanseekinformationaboutthe availabilityof
newupdatesincludingdetails(e.g.CVEidentifiers) of the specificpublicvulnerabilities
correctedby eachupdate.
ALC_TSU_EXT.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
5.2.4 Tests (ATE)
5.2.4.1 ATE_IND.1: Independent Testing - sample
ATE_IND.1.1d
The developershallprovidethe TOEfor testing.
ATE_IND.1.1c
The TOE shall be suitable fortesting.
ATE_IND.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
ATE_IND.1.2e
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
54 of 87
The evaluatorshall testa subsetof the TSF to confirmthatthe TSF operatesasspecified.
5.2.5 Vulnerability Assessment (AVA)
5.2.5.1 AVA_VAN.1: Vulnerability Survey
AVA_VAN.1.1d
The developershallprovidethe TOEfor testing.
AVA_VAN.1.1c
The TOE shall be suitable fortesting.
AVA_VAN.1.1e
The evaluatorshall confirmthatthe informationprovidedmeetsall requirementsfor
contentand presentationof evidence.
AVA_VAN.1.2e
The evaluatorshall performasearchof publicdomainsourcestoidentifypotential
vulnerabilitiesinthe TOE.
AVA_VAN.1.3e
The evaluatorshall conductpenetrationtesting,basedonthe identifiedpotential
vulnerabilities,todetermine thatthe TOEis resistanttoattacks performedbyan
attackerpossessingBasicattackpotential.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
55 of 87
6 TOE Summary Specification
Thischapter describesthe securityfunctions:
 Securityaudit
 Cryptographicsupport
 User data protection
 Identificationandauthentication
 Securitymanagement
 Protectionof the TSF
 TOE access
 Trustedpath/channels
6.1 Security Audit
FAU_GEN.1
The followingtable enumeratesthe eventsthatthe TOEaudits.Requirementsmarkedwith“(O)”are
fromthe Table 2: Additional Auditable Eventsof the MDFPP31.
Requirement Audit Event Content
FAU_GEN.1
Start-up and shutdown of the audit
functions
FAU_GEN.1 All administrativeactions
FAU_GEN.1
Start-up and shutdown of the OS and
kernel
FAU_GEN.1 Insertion or removal of removable media
FAU_GEN.1
Establishmentof a synchronizing
connection
FAU_GEN.1
Reachingthe configured auditlogcritical
sizelimit
FCS_CKM.1
Failureof key generation activity for
authentication keys.
FCS_HTTPS_EXT.1 (O) Failureof the certificatevalidity check.
Issuer Name and Subject Name
of certificate.
FCS_STG_EXT.1 Import or destruction of key.
Identity of key. Role and identity
of requestor.
FCS_STG_EXT.3 Failureto verify integrity of stored key. Identity of key being verified.
FCS_TLSC_EXT.1 (O) Failureto establish a TLS session. Reason for failure.
FCS_TLSC_EXT.1 (O) Failureto verify presented identifier.
Presented identifier and
reference identifier.
FCS_TLSC_EXT.1 (O) Establishment/termination of a TLS session.
Non-TOE endpoint of
connection.
FCS_TLSC_EXT.1/WLAN Failureto establish an EAP-TLS session. Reason for failure.
FCS_TLSC_EXT.1/WLAN
Establishment/termination of an EAP-TLS
session.
Non-TOE endpoint of
connection.
FDP_DAR_EXT.2 Failureto encrypt/decrypt data.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
56 of 87
Requirement Audit Event Content
FDP_STG_EXT.1
Addition or removal of certificatefrom
Trust Anchor Database.
Subject name of certificate.
FIA_UAU.6 (O)
User changes Password Authentication
Factor.
FIA_X509_EXT.1 Failureto validateX.509v3 certificate. Reason for failureof validation.
FIA_X509_EXT.2 (O)
Failureto establish connection to
determine revocation status.
FMT_SMF_EXT.1 Change of settings.
Role of user that changed
setting. Valueof new setting.
FMT_SMF_EXT.1 (O) Success or failureof function.
Role of user that performed
function. Function performed.
Reason for failure.
FMT_SMF_EXT.1 (O) Initiation of softwareupdate. Version of update.
FMT_SMF_EXT.1 (O)
Initiation of application installation or
update.
Name and version of application.
FPT_TST_EXT.1 &
FPT_TST_EXT.1/WLAN
Initiation of self-test.Failureof self-test. [none]
FPT_TST_EXT.1/WLAN
Execution of this set of TSF self-tests.
[detected integrity violations]
[The TSF binary file that caused
the integrity violation].
FPT_TST_EXT.2(1)
Start-up of TOE.
[none]
No additional Information.
[no additional information]
FPT_TUD_EXT.2 (O)
Success or failureof signatureverification
for software updates.
FPT_TUD_EXT.2 (O)
Success or failureof signatureverification
for applications.
FTA_TAB.1 (O) Change in banner setting.
FTA_WSE_EXT.1 All attempts to connect to access points.
Identity of access pointbeing
connected to as well as success
and failures (includingreason for
failure).
FTP_ITC_EXT.1/WLAN
All attempts to establish a trusted channel.
(TD0194 applied)
Identification of the non-TOE
endpoint of the channel.
Table 9 - Audit Events
FAU_SAR.1
The TOE providesthe abilityforthe administratortoexportandreadthe auditlog.
FAU_SEL.1
The TOE providesthe abilitytoselectthe auditeventsthatare logged. There are three classesof audit
eventsthatcan be logged,systemandapps,kernel andIPtables.Eachcan be controlledindividually,so
the administratorcanlog justselectclassesof events.Withinthe classes,eventscanbe selectedbased
uponsuccess,failure,severity,eventgroup,andUID.
FAU_STG.1
The TOE storesauditrecordsina file withinthe file systemaccessibleonlytoLinux processeswith
systempermissions(effectivelythe TSFitselfandMDM agentspossessingavalidKnox licenseusingthe
definedAPIs). Theserestrictionspreventthe unauthorizedmodificationordeletionof the auditrecords
storedinthe audit files.
FAU_STG.4
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
57 of 87
The TOE pre-allocatesafile systemarea(between10MB and 50MB in size,dependinguponavailable
storage on the device) bycreatinga/data/system/[admin_uid]_bubble/bubbleFile anddirectory
(/data/system/[admin_uid]) inwhichtoarchive compressedauditlogs.If the TOElackssufficientspace
(at least10MB), thenthe TOE returnsa failure code inresponse tothe administrator’sattemptto
enable the AuditLog.Once enabled,the TOEwritesauditeventsintonodesuntil theyreadagivensize,
and thencompressesandarchivesthe records.The TOE utilizesacircularbufferapproachto handle
whenthe accumulated,compressedauditeventsexceedthe allocatedfile systemsize.Whenthe limitis
reached,the TOE removesthe oldestauditlogs,freeingspace fornew records.
6.2 Cryptographic Support
FCS_CKM.1
The TOE supportsasymmetrickeygenerationforall typesinaccordance withFIPS186-4. The TOE
generatesRSA keysinitsSCryptolibraryandgeneratesDH/ECDH/ECDSA (includingP-256,P384 and P-
521) keysinboth itsSCryptoand BoringSSLlibraries.The TOEsupportsgeneratingkeyswithasecurity
strengthof 112-bits and larger,thussupports2048-bit RSA and DH keys,and256-bit ECDH/ECDSA keys.
The TOE’s RSA and ECDSA implementationshave the CAVPcertificatesdescribedinthe FCS_COP.1
sectionbelow.
Cryptographic Library RSA Generation DH (FCC) ECDH (ECC) EDCSA (ECC)
BoringSSL (user space) No Yes Yes Yes
Kernel Crypto (Kernel) No No No No
SCrypto (TrustZone) Yes No No Yes
Application Processor No No No No
Table 10 - Asymmetric Key Generation per Module
FCS_CKM.1/WLAN
The TOE adherestoIEEE 802.11-2012 and IEEE 802.11ac-2014 for keygeneration.The TOE’s
wpa_supplicantprovidesthe PRF384for WPA2 derivationof 128-bitAESTemporal Key(usingthe HMAC
implementationprovidedbyBoringSSL) andemploysitsBoringSSLAES-256DRBG whengenerating
randomvaluesusedinthe EAP-TLSand 802.11 4-wayhandshake.The TOE supportsthe AES-128 CCMP
encryptionmode. The TOEhas successfullycompletedcertification(includingWPA2Enterprise) and
receivedWi-Fi CERTIFIEDInteroperabilityCertificatesfromthe Wi-Fi Alliance.The Wi-Fi Alliance
maintainsawebsite providingfurtherinformationaboutthe testingprogram: http://www.wi-
fi.org/certification.
Device Name Model Number Wi-Fi Alliance Certificate Numbers
Galaxy S10 5G SM-G977x 82195,81903,83089,83091, 83218
Galaxy S10+ SM-G975x 81105,81373,81251,81112
Galaxy S10 SM-G973x 81104,81333,81306,81110
Galaxy S10e SM-G970x 81503,81380,81314,81108
Galaxy Fold SM-F900x 82762,81957,83434
Galaxy Note9 SM-N960x 77419,77551,77856,78546
Galaxy Tab S4 SM-T83xx 77514,78237,78240,78266, 78239,78267,78268, 78269,78815
Galaxy S9+ SM-G965x 73947,73948,74090,75146, 75153,75267,76121,76530
Galaxy S9 SM-G960x 73958,73959,73962,75099, 75141,75250,76120,76860
Galaxy Note8 SM-N950x 71978,72621,72951,72945
Galaxy S8+ SM-G955x 69849,69616,70173
Galaxy S8 SM-G950x 69612,69529,70171
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
58 of 87
Device Name Model Number Wi-Fi Alliance Certificate Numbers
Galaxy S8 Active SM-G892x 71547,73447
Table 11 - W-Fi Alliance Certificates
FCS_CKM.1/VPN
The VPN usesthe TOE cryptographiclibrariestogenerate asymmetrickeys(RSA orECDSA) for
authenticationduringthe IKEkeyexchange.Note thatECDSA isonlysupportedbyIKEv2connections.
FCS_CKM.2(1)
The TOE supportsRSA (800-56B, as an initiatoronly),DHE(FFC800-56A), and ECDHE (ECC800-56A)
methodsinTLS keyestablishment/exchange.The TOEhasCVL KASand ECDSA CAVPalgorithm
certificatesforEllipticCurve keyestablishmentandkeygenerationrespectivelyasdescribedinthe
FCS_COP.1sectionbelow.Samsungvendor-affirmsthatthe TOE’sRSA keyestablishmentfollows800-
56B. The user andadministratorneedtake nospecial configurationof the TOEas the TOE automatically
generatesthe keysneededfornegotiatedTLSciphersuites.Because the TOEonlyactsas a TLS client,the
TOE onlyperforms800-56B encryption(specificallythe encryptionof the Pre-MasterSecretusingthe
Server’sRSA publickey) whenparticipatinginTLS_RSA_*basedTLS handshakes.Thus,the TOE doesnot
perform800-56B decryption.However,the TOE’sTLSclientcorrectlyhandlesothercryptographicerrors
(forexample,invalidchecksums,incorrectcertificate types,corruptedcertificates) bysendingaTLS fatal
alert.
FCS_CKM.2(2)
The TOE usesECDH witha P-256 curve keyestablishmentforprotectionof applicationsensitive data
receivedwhile the device islocked.
FCS_CKM.2/WLAN
The TOE adherestoRFC 3394, SP800-38F, and802.11-2012 standardsand unwrapsthe GTK (sent
encryptedwiththe WPA2KEK usingAESKeyWrap in an EAPOL-Keyframe).The TOE,uponreceivingan
EAPOLframe,will subjectthe frame toa numberof checks(frame length,EAPOLversion,frame payload
size,EAPOL-Keytype,keydatalength,EAPOL-KeyCCMPdescriptorversion,andreplaycounter) to
ensure a properEAPOLmessage andthendecryptthe GTK usingthe KEK, thusensuringthatitdoesnot
expose the GroupTemporal Key(GTK).
FCS_CKM_EXT.1
The TOE supportsa Root EncryptionKey(REK) withinthe main(application) processor.Requestsfor
encryptionordecryptionchainingtothe REKare onlyaccessible throughthe TrustedExecution
Environment,orTEE (TrustZone).The REKliesina seriesof 256-bitfuses,programmedduring
manufacturing.The TEE doesnotallowdirectaccessto the REK but providesservicestoderive aHEK
(Hardware EncryptionKey,whichisderivedfromthe REKthrougha KDFfunction) forencryptionand
decryption.
The REK value isgeneratedduringmanufacturingeitherbythe TOE (if itdetectsthatthe REK fuseshave
not beenset) usingitshardware DRBGor is generatedduringfabricationusinganexternalRBGthat
meetsthe requirementsof thisPPinthatthe processutilizesaSHA-256 Hash_DRBG seededbya
hardware entropysource identical inarchitecturetothatwithinthe TOE.This fabricationprocess
includesstrictcontrols(includingphysical andlogical accesscontrol tothe manufacturingroomwhere
programmingtakesplace aswell asvideosurveillanceandaccessonlyto specific,authorized,trusted
individuals)toensure thatthe fabricatorcannotaccess any REK valuesbetweengenerationand
programming.
FCS_CKM_EXT.2
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
59 of 87
The TOE supportsData EncryptionKey(DEK) generationusingitsapprovedRBGs foruse inODE andSD
card encryption.The TOE RBGs are capable of generatingAES256-bitDEKs in response toapplications
and servicesonthe device.These canbe accessedthroughbothAndroidnative APIsandCAPIs
dependingonthe librarybeingcalled. ForFBE,the TOE supportsusinga KDF to concatenate keys
togethertogenerate unique DEKs.The keysusedinthe KDFare generatedbythe approvedRBGs.
FCS_CKM_EXT.3
The TOE generatesKEKs(whichare alwaysAES256-bitkeysgeneratedbyone of the TOE’s DRBGs)
througha combinationof methods.First,the TOEgeneratesaKEK (the Keystore masterkey) foreach
userof the TOE. The TOE alsogeneratesencryptionKEKsforODE, FBE, the SD Card encryption,and Knox
Workspace containerencryption(normalandsensitive).
The TOE generatesanumberof differentKEKs.Inadditiontothe TSF KEKs,applicationsmayrequestkey
generation(throughthe AndroidAPIs),andthe TOE utilizesitsBoringSSLCTR_DRBGand Kernel Crypto
HMAC_DRBG to satisfythose requests.The requestingapplicationultimatelychooseswhethertouse
that keyas a DEK or a KEK,but it isworthmentioninghere,asan applicationcanutilizesuchakeyas a
KEK,should itchoose.
FCS_CKM_EXT.4
The TOE destroyscryptographickeyswhentheyare nolongerinuse bythe system.The exceptionsto
thisare publickeys(thatprotectthe bootchainand software updates) andthe REK,whichare never
cleared.KeysstoredinRAMduringuse are destroyedbyazero overwrite.KeysstoredinFlash(i.e.
eMMC) are destroyedbycryptographicerasure throughablockerase call to the flashcontrollerforthe
locationwhere the ODE/FBEandSD Card keysare stored.Once these are erased,all keys(anddata)
storedwithinthe encrypteddatapartitionof the TOEare consideredcryptographicallyerased.
FCS_CKM_EXT.5
The TOE providesaTOE Wipe functionthatfirsterasesthe encryptedODEDEK usedto encryptthe
entire datapartitionusingablockerase and readverifycommandtoensure thatthe TOE writeszerosto
the UFS blockscontainingthe encrypted DEKs(FBE,ODE,and SD card) Afteroverwritingthat,the TOE
will reformatthe partition.Uponcompletionof reformattingthe Flashpartitionholdinguserdata,the
TOE will performapower-cycle.
FCS_CKM_EXT.6
The TOE createssaltand nonces(whichare justsaltvaluesusedinWPA2) usingitsAES-256 CTR_DRBG.
Saltvalueand size RBG origin Saltstorage location
User password salt(256-bit) BoringSSL’s AES-256 CTR_DRBG Flash filesystem
TLS client_random (256-bit) BoringSSL’s AES-256 CTR_DRBG N/A (ephemeral)
TLS pre_master_secret (384-bit) BoringSSL’s AES-256 CTR_DRBG N/A (ephemeral)
TLS DHE/ECDHE privatevalue (256,384, 512) BoringSSL’s AES-256 CTR_DRBG N/A (ephemeral)
WPA2 4-way handshakesupplicantnonce
(SNonce)
BoringSSL’s AES-256 CTR_DRBG
through wpa_supplicant
N/A (ephemeral)
Table 12 - Salt Creation
FCS_COP.1
The TOE performscryptographicalgorithmsinaccordance withthe followingNISTstandardsandhas
receivedthe followingCAVPalgorithmcertificates.
The BoringSSLv1.3 libraryprovidesthe followingalgorithms.
Algorithm NIST Standard SFR Reference Cert#
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
60 of 87
Algorithm NIST Standard SFR Reference Cert#
AES 128/256 CBC, GCM, KW FIPS 197,SP 800-38A/D/F FCS_COP.1(1) C:425
CVL ECC/FFC SP 800-56A
FCS_CKM.2(1)
FCS_CKM_EXT.3
C:425
DSA FFC SigGen/SigVer FIPS 186-4 FCS_CKM.1 C:425
DRBG CTR SP 800-90A FCS_RBG_EXT.1 C:425
ECDSA PKG/PKV/SigGen/SigVer FIPS 186-4
FCS_CKM.1
FCS_CKM.2(1)
FCS_COP.1(3)
C:425
HMAC SHA-1/256/384/512 FIPS 198-1 & 180-4 FCS_COP.1(4) C:425
RSA SigGen/SigVer FIPS 186-4 FCS_COP.1(3) C:425
SHS SHA-1/256/384/512 FIPS 180-4 FCS_COP.1(2) C:425
KBKDF SP 800-108 FCS_CKM_EXT.3 C:425
Table 13 - BoringSSL Cryptographic Algorithms
The evaluateddevicesutilizethe followingkernelsforthe SamsungKernelCryptographicModule
(Kernel Crypto).
Device Kernel Version
Kernel Crypto
Version
S10 5G/S10+/S10/S10e (Samsung) 4.14 2.0
S10 5G/S10+/S10/S10e/Fold (Qualcomm) 4.14 2.0
S9/S9+/Note9 (Samsung) 4.9 1.9
S9/S9+/Note9 (Qualcomm) 4.9 1.9
Tab S4 4.4 1.8
S8/S8+/Note8 (Samsung) 4.4 1.8
S8/S8+/Note8 (Qualcomm) 4.4 1.8
Table 14 - Kernel Versions
The SamsungKernel Cryptographic(“Kernel Crypto”) Moduleprovidesthe followingalgorithms.
Algorithm NIST Standard SFR Reference Cert#
AES 128/256 CBC FIPS 197,SP 800-38A FCS_COP.1(1)
C:406, C:354
5184,5183
4427,4426,
4425,4424
HMAC SHA-1/256 FIPS 198-1 & 180-4 FCS_COP.1(4)
C:406, C:354
3440,3439
2939,2938,
2937,2936
DRBG SHA-256 HMAC_DRBG SP 800-90A FCS_RBG_EXT.1
C:583, C:354
1958
1453,1452
SHS SHA-1/256 FIPS 180-4 FCS_COP.1(2)
C:406, C:354
4188,4187
3644,3643,
3642,3641
KBKDF SP 800-108
FCS_CKM_EXT.2,
FCS_CKM_EXT.3
C:354
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
61 of 87
Table 15 - Samsung Kernel Cryptographic Algorithms
The evaluateddevicesutilizethe SamsungSCryptoCryptographicModule forcryptographicoperations
withinthe TEE on eachdevice.The followingtableliststhe TEEoperatingsystemsforeachdevice.
Device TEE OS Version SCrypto Version
S10 5G/S10+/S10/S10e (Samsung) TEEGRIS 3.1 2.4
S10 5G/S10+/S10/S10e/Fold (Qualcomm) QSEE 5.2 2.4
S9/S9+/Note9 (Samsung) Kinibi 400A 2.2
S9/S9+/Note9 (Qualcomm) QSEE 5.0 2.2
Tab S4 QSEE 4.0 2.0
S8/S8+/Note8 (Samsung) Kinibi 400A 2.0
S8/S8+/Note8 (Qualcomm) QSEE 4.0 2.0
Table 16 - TEE Environments
The SamsungSCryptoTEE libraryprovidesthe followingalgorithms.Note thatthe TOEonlyperforms
RSA signing/decryption(usingthe privatekey) inthe TEE,and performspublickey
verification/encryptioninthe normal worldusingBoringSSL.
Algorithm NIST Standard SFR Reference Cert#
AES CBC/GCM FIPS 197,SP 800-38A/D FCS_COP.1(1)
C:428
5180
4389
DRBG AES-256 CTR_DRBG SP 800-90A FCS_RBG_EXT.1
C:428
1955
1412
ECDSA PKG/PKV/SigGen/SigVer FIPS 186-4
FCS_CKM.1
FCS_COP.1(3)
C:428
1343
1049
HMAC SHA-1/256/384/512 FIPS 198-1 & 180-4 FCS_COP.1(4)
C:428
3436
2916
RSA KeyGen and SigGen (no
verification)
FIPS 186-4
FCS_CKM.1FCS_CKM.2(1)
FCS_COP.1(3)
C:428
2781
2372
SHS SHA-1/256/384/512 FIPS 180-4 FCS_COP.1(2)
C:428
4184
3618
KBKDF SP 800-108 FCS_CKM_EXT.3
C:428
175
125
Table 17 - SCrypto TEE Cryptographic Algorithms
The Chipsethardware hasvariousmodulesthatprovide cryptographicfunctions.The modulesand
versionsare listedhere.Onlydiscretemodulesare listedhere.
Device Wi-Fi Chipset Flash Crypto
S10 5G/S10+/S10/S10e (Samsung) Broadcom BCM4375B1 Samsung FMP v1.5 (HW 4.0)
S10 5G/S10+/S10/S10e/Fold (Qualcomm) Broadcom BCM4375B1 QualcommICE v3.1.0
S9/S9+/Note9 (Samsung) Broadcom BCM4361 Samsung FMP v1.4 (HW 4.0)
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
62 of 87
Device Wi-Fi Chipset Flash Crypto
S9/S9+/Note9 (Qualcomm) Broadcom BCM4361 QualcommICE v3.1.0
Tab S4 Broadcom BCM4361 QualcommICE v3.0.0
S8/S8+/Note8 (Samsung) Broadcom BCM4361 Samsung FMP v1.2 (HW 3.0.2)
S8/S8+/S8 Active/Note8 (Qualcomm) Broadcom BCM4361 QualcommICE v3.0.0
Table 18 - Hardware Components
The Chipsethardware providesthe followingalgorithms.
Algorithm NIST Standard SFR Reference Cert#
AES 128 CCM (BCM Wi-Fi) FIPS 197,SP 800-38C FCS_COP.1(1)
4791
4152
XTS-AES 128/256 (Qualcomm) FIPS 197,SP 800-38E FCS_COP.1(1)
C:440, C:439
4958,4957
4473,4472
DRBG SHA-256 Hash_DRBG
(Qualcomm)
SP 800-90A FCS_RBG_EXT.1
C:433, C:432
1788
1455
SHS SHA-256 (Qualcomm) FIPS 180-4 FCS_COP.1(2)
C:471, C:443, C:441
4048,4047
3685,3684
KBKDF (Qualcomm) SP 800-108 FCS_CKM_EXT.3
C:554, C:471
171
142
XTS-AES 128/256 (Exynos FMP) FIPS 197,SP 800-38E FCS_COP.1(1)
C:352
5169
4423
SHS SHA-256 (Exynos FMP) FIPS 180-4 FCS_COP.1(2)
C:353
4176
3645
HMAC SHA-256 (Exynos FMP) FIPS 198-1 & 180-4 FCS_COP.1(4)
C:353
3430
2940
KBKDF (Exynos) SP 800-108 FCS_CKM_EXT.3
C:573
196
197
AES 128/256 CBC/GCM (Exynos)
FIPS 197,SP 800-
38A/D
FCS_COP.1(1)
C:573
5367
5368
SHS SHA-256 (Exynos) FIPS 180-4 FCS_COP.1(2)
C:573
4309
4310
HMAC SHA-256 (Exynos) FIPS 198-1 & 180-4 FCS_COP.1(4)
C:573
3555
2057
Table 19 - Chipset Hardware Cryptographic Algorithms
The TOE’s applicationprocessorsinclude hardware entropy implementationsthatsupplyrandomdata
withinthe TEE and to the Linux kernel RNG(/dev/random).
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
63 of 87
Note that kernel-space systemapplicationsutilize the cryptographicalgorithmimplementationsinthe
SamsungKernel CryptographicModule (Kernel Crypto) orinthe Chipsethardware,whileuser-space
systemapplicationsandmobile applicationsutilizethe BoringSSLlibrary(throughthe AndroidAPI).In
the case of each cryptographiclibrary,the libraryitselfincludesanyalgorithmsrequired(forexample,
BoringSSLprovideshashfunctionsforuse byHMAC anddigital signature algorithms).
TrustedApplicationsexecutingwiththe TrustedExecutionEnvironment(TEE) utilize the SCryptolibrary.
For example,the trustedapplicationimplementingthe AndroidKeymaster thatsupportsthe Android
Keystore utilizesthe SCryptolibraryforall of itscryptographicfunctionality.
For itsHMAC implementations,the TOEacceptsall keysizesof 160, 256, 384, & 512; supportsall SHA
sizessave 224 (e.g.,SHA-1,256, 384, & 512), utilizesthe specifiedblocksize (512for SHA-1and 256, and
1024 for SHA-384 & 512); andoutputsMAC lengthsof 160, 256, 384, and512.
The TOE conditionsthe user'spasswordexactlyasperSP 800-132 (andthus as perSP 800-197-1) with
no deviations byusingPBKDF2with4096 HMAC-SHA-512 or HMAC-SHA-256 (dependingonthe use)
iterations tocombine a128-bit saltwiththe user’spassword.The time neededtoderivekeyingmaterial
doesnotimpact or lessenthe difficultyfacedbyanattacker’sexhaustiveguessingasthe combinationof
the passwordderivedKEKwithREKvalue entirelypreventsoffline attacksandthe TOE’smaximum
incorrectpasswordloginattempts(between1and 30 incorrectattemptswith4 character,minimum,
passwords) preventsexhaustive onlineattacks.
The TOE’s algorithmcertificatesrepresentthe BoringSSLlibrary,KernelCryptographicmodule,SCrypto
library,andChipsethardware implementations.These implementationshave beentesteduponAndroid
9 (Pie) runningatopbothExynosandQualcommARMv8chipsets.The TOE’sExynosprocessordevices
include the SamsungFlashMemoryProtector,whilethe TOE’sQualcommprocessordevicesinclude
hardware XTS-AES(InlineCryptoEngine,ICE) implementationsforencryptionanddecryption.
FCS_HTTPS_EXT.1
The TOE includesthe abilitytosupportthe HTTPSprotocol (compliantwithRFC2818) so that (mobile
and systemclient) applicationsexecutingonthe TOEcan securelyconnecttoexternal serversusing
HTTPS. Administratorshave nocredentialsandcannotuse HTTPSor TLS to establishadministrative
sessionswiththe TOEas the TOE doesnot provide anysuchcapabilities.
FCS_IPSEC_EXT.1
The TOE’s VPN Clientimplementsthe IPsecprotocol asspecifiedinRFC4301; however,the VPN Client
presentsasfewconfigurationoptionsaspossibletothe Userin orderto minimize the possibilityof
misconfigurationandreliesuponthe Gatewaytoenforce organizational policies(forthingslike the
specificciphersuitesandselectionof traffictoprotect).Forthisreason,the VPN Clientdoesnotsupport
editingof itsSPDentries.The VPN ClientwillinsertaPROTECTrule to IPsecencryptandsendall TOE
trafficto the VPN GW (as the VPN Clientignoresthe IKEv1/IKEv2TrafficSelectornegotiatedbetween
the clientandgatewayand alwayssendsall traffic).
The VPN Clientroutesall packetsthroughthe kernel’sIPsecinterface (ipsec0) whenthe VPN isactive.
The kernel comparespacketsroutedthroughthisinterface tothe SPDsconfiguredforthe VPN to
determine whethertoPROTECT,BYPASS,or DISCARDeach packet.The vendordesignedthe TOE’sVPN
Client,whenoperatinginCCMode,to allow no SPDconfigurationandalwaysforce all trafficthrough
the VPN. The VPN ClientignoresanyIKEv1/IKEv2trafficselectornegotiationswiththe VPN GWandwill
alwayscreate an SPD PROTECTrule that matchesall traffic.Thus,the kernel will matchall packets,
subsequentlyencryptthose packets,andfinallyforwardthemtothe VPN Gateway.The VPN Client
supportstunnel mode foritsIPsecconnections.The VPN ClientprovidesIKEv1/IKEv2keyestablishment
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
64 of 87
as part of itsIPsecimplementation.The IKEv1/IKEv2implementationisconformantwithRFCs5996 and
4307 and supportsNATtraversal.IKEv1onlysupportsmainmode andrequiresnoconfigurationforthis
enforcement.
The TOE providesRFC4106 conformantAES-GCM-128 andAES-GCM-256, and RFC3602 conformant
AES-CBC-128 andAES-CBC-256 as encryptionalgorithms.The TOEPlatformalsoprovidesSHA-1(SHA-1
can onlybe usedfor IKEv2 connections),SHA-256,SHA-384, and SHA-512 inadditionto HMAC-SHA1,
HMAC-SHA-256, HMAC-SHA-384,and HMAC-SHA-512 as integrity/authenticationalgorithms (producing
message digestsof 160, 256, 384, and 512-bits inlength) aswell asDiffie-HellmanGroups 5,14, 19, 20
and 24. The VPN utilizesthe algorithmsfromthe BoringSSLandKernel Cryptographicmodulesaspartof
the IKEv1/IKEv2and IPsecprotocols(however,note thatIKEv1doesnotsupportSHA-1). The encrypted
payloadforIKEv1/IKEv2usesAES-CBC-128,AES-CBC-256 as specifiedinRFC6379 and (forIKEv2) AES-
GCM-128 and AES-GCM-256 as specifiedinRFC5282. The TOE reliesuponthe VPN Gatewaytoensure
that by defaultthe strengthof the symmetricalgorithm (intermsof the numberof bitsinthe key)
negotiatedtoprotectthe IKEv1 Phase 1/IKEv2/IKE_SA connectionisgreaterthanor equal to the
strengthof the symmetricalgorithm(intermsof the numberof bitsinthe key) negotiatedtoprotectthe
IKEv1 Phase 2/IKEv2 CHILD_SA connection.The IKEv1implementationincludesXAUTHauthentication.
An administratorcanconfigure the VPN GatewaytolimitSA lifetimesbasedonlengthof time tovalues
that include 24 hoursfor IKE SAsand 8 hours forIPsecSAs.The TOE includeshardcodedlimitsof 10
hoursfor an IKE SA and 3 hoursfor an IPsecSA.The TOE and VPN Gatewaywill rekeytheirIKEandIPsec
SAsafterthe shorterof either10 hours or 3 hoursrespectively(the TOE’sfixedlifetimes) orthe
administratorspecifiedlifetimeconfiguredonthe VPN Gateway.
The VPN Clientgeneratesthe secretvalue x usedinthe IKEv1/IKEv2Diffie-Hellmankeyexchange ('x'in
gx
mod p) usingthe FIPSvalidatedRBGspecifiedinFCS_RBG_EXT.1andhavingpossible lengthsof 224,
256, or 384 bits.Whena random numberisneededforanonce,the probabilitythataspecificnonce
value will be repeatedduringthe lifeof aspecificIPsecSA islessthan1 in 2112
,2128
, or 2192
.
The VPN ClientimplementspeerauthenticationusingRSA certificatesorECDSA certificates(IKEv1does
not supportusingECDSA certificates) thatconformtoRFC4945 and FIPS186-4, or pre-sharedkeys.If
certificatesare used,the VPN Clientensuresthatthe IPaddressor FullyQualifiedDistinguishedName
(FQDN) containedinacertificate matchesthe expectedIPAddressorFQDN forthe entityattemptingto
establishaconnectionandensuresthatthe certificate hasnotbeenrevoked(usingthe Online
Certificate StatusProtocol [OCSP]inaccordance withRFC2560).
Pre-sharedkeyscaninclude anyletterfroma-z,A-Z,the numbers0– 9, and the special character
locatedabove the numbersona US keyboard(“!@#$%^&*()”).The specificlengthof 22 characters
requiredbythe VPNC21issupportedbythe VPN Client.The VPN Clientprocessesthe pre-sharedkeys
by usingthe enteredstringasASCIIHex values.
The TOE supportsa numberof differentDiffie-Hellman(DH) groupsforuse inSA negotiationincluding
DH Groups 5 (1536-bit MODP),14 (2048-bit MODP), 19 (256-bitRandom ECP),20 (384-bitRandom ECP),
and 24 (2048-bit MODP with256-bit POS).The TOE selectsthe DH group byselectingthe largestgroup
configuredbyan administratorthatisofferedbythe VPN gateway.
Duringthe PeerAuthenticationstage of IPsec,the TOEPlatformwill verifythe authenticityof the VPN
gateway’sX.509v3 certificate byvalidatingthe certificate,validatingthe certificate path,validatingthe
certificate’srevocationstatususingOCSP,validatingthatthe certificate pathterminatesinatrustedCA
certificate,andvalidatingthatthe CA certificate hasthe basicConstraintsextensionpresentandthe CA
flagsetto true.The TOE will also ensure thatthe SubjectAlternative NameIPaddressorDNSname in
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
65 of 87
the VPN gateway’scertificatematchesthe IPaddressorDNS name configuredinthe VPN profile. If the
configuredIPaddressorDNS name doesnotmatch a SubjectAlternativeName inthe VPN gateway’s
certificate,the TOEwill refuse toestablishanIPsecconnectionwiththe VPN gateway.
The VPN Clientreliesuponthe VPN Gatewaytoensure thatthe cryptographicalgorithmsandkeysizes
negotiatedduringthe IKEv1/IKEv2negotiationensure thatthe securitystrengthof the Phase 1/IKE_SA
are greaterthanor equal tothat of the Phase 2/CHILD_SA.
FCS_IV_EXT.1
The TOE generatesIVsfordatastorage encryptionandforkeystorage encryption.The TOE uses XTS-AES
and AES-CBCmode fordata encryptionandAES-GCMfor keystorage.
FCS_RBG_EXT.1
The TOE providesanumberof differentRBGsincluding:
1. An AES-256 CTR_DRBG providedbyBoringSSL.The TOEprovidesmobile applicationsaccess
(throughan AndroidAPI) torandomdata drawnfromits AES-256 CTR_DRBG
2. An AES-256 CTR_DRBG providedbySCryptointhe TEE
3. A SHA-256 HMAC_DRBG providedbyKernel Cryptointhe Androidkernel
4. A hardware SHA-256 Hash_DRBG providedbythe QualcommApplicationProcessorhardware
The TOE ensuresthatitinitializeseachRBGwithsufficiententropyultimatelyaccumulatedfromaTOE-
hardware-basednoise source.The TOEusesitshardware-basednoise source tofill /dev/random
continuously withrandomdatathathas full entropy,andinturn,the TOE draws from/dev/randomto
seedbothitsAES-256 CTR_DRBG and its SHA-256 HMAC_DRBG. The TOE seedseachof itsAES-256
CTR_DRBGs using384-bitsof data from/dev/random, thusensuringatleast256-bitsof entropy. Finally,
the TOE seedsthe SHA-256HMAC_DRBG with440-bits of data from /dev/random, alsoensuringthatit
containsat least256-bits of entropy.These RBGsare all capable of providingotheramountsof entropy
(suchas 128-bits) toany requestingapplication.The TOEitself alwaysuses256-bitsof entropy,but
otherapplications orservicesare notsubjecttothislimitation,andcanrequest128-bitsor 256-bits of
entropysubjectitsownrequirements. The SHA-256Hash_DRBG inthe QualcommAPisusedto
generate the REKon firstboot.
FCS_RBG_EXT.2
The devicessave ablockof 4096-bits of randomdata, and uponthe nextboot,a service calledentropy
mixeraddsthe blockof savedrandom data intothe Linux Kernel RandomNumberGenerator’sinput
pool.
FCS_SRV_EXT.1/2
The TOE providesapplicationsaccesstothe cryptographicoperationsincludingencryption(AES),
hashing(SHA),signingandverification(RSA &ECDSA),keyhashing(HMAC),password-basedkey-
derivationfunctions(PKBDFv2HMAC-SHA-512),generatingasymmetrickeysforkeyestablishment(RSA
and ECDH),and generatingasymmetrickeysforsignature generationandverification(RSA,ECDSA).The
TOE providesaccessthroughAndroidAPImethodsandthroughthe kernel.The vendoralsodeveloped
testingapplicationstoenable executionof the NISTalgorithmtestsuite inordertoverifythe
correctnessof the algorithmimplementations.
FCS_STG_EXT.1
The TOE providesusersandapplicationsrunningonthe TOEthe abilitytogenerate,import,and
securelystore symmetricandasymmetrickeysthroughthe TOE’sAndroidKeystore.The TOEallowsa
userto importa certificate (inPKCS#12[PFX] format) andprovidesapplicationsrunningonthe TOE an
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
66 of 87
APIto importa certificate orsecretkey.Ineithercase,the TOE will place the keyintothe user’s
keystore (andthe TOE will remove the PKCS#12password-basedprotectionif the importedkeyisa
certificate) anddoublyencryptthe importedkeywithDEKs,whichinturnare encryptedbya KEK
derivedfromthe user'sDKEKand a KEK derivedfromthe REK.All userandapplicationkeysplacedinto
the user’skeystore are securedinthisfashion.
The user of the TOE can electtodelete keysfromthe keystore,aswell astowipe the entire device
securely.
The TOE affordsapplicationscontrol (controloveruse anddestruction)of keysthattheycreate or
import,andonlythe user or a commonapplicationdeveloper canexplicitlyauthorizeaccess,use,or
destructionof one application’skeybyanyotherapplication.
Entity Can Import? Can Destroy?
Allow Other App
to Use?
Allow Other
App to Destroy?
User Yes Yes Yes
Administrator Yes Yes
Mobileapplication Yes Yes
Common application
developer
Yes Yes
Table 20 - Key Management Matrix
FCS_STG_EXT.2
The TOE providesprotectionforall storedkeys(i.e.thosewrittento storage mediaforpersistent
storage) chainedtoboththe user’spasswordandthe REK.All keysare encryptedwithAES-GCMor AES-
CBC (inthe case of SD card File EncryptionKeys).All KEKsare 256-bit,ensuringthatthe TOE encrypts
everykeywithanotherkeyof equal orgreaterstrength/size.
In the case of Wi-Fi,the TOE utilizesthe 802.11-2012 KCK andKEK keysto unwrap(decrypt) the WPA2
Group Temporal Keyreceivedfromthe accesspoint.Additionally,the TOEprotectspersistentWi-Fikeys
(usercertificates)bystoringtheminthe AndroidKeystore.
The TOE alsostoresthe SecurityLogAgent(propertiesrelatedtothe SE Androidconfiguration) inthe
same manneras the long-termtrustedchannel keymaterials.
FCS_STG_EXT.3
The keyhierarchyshows AES-256-GCMis usedtoencryptall KEKs otherthan SD Card keys(whichuses
HMAC for integrity) andthe GCMencryptionmode itself ensuresintegrityasauthenticateddecryption
operationsfail if the encryptedKEKbecomescorrupted.
FCS_TLSC_EXT.1/2
The TOE providesmobile applications(throughitsAndroidAPI) the use of TLSversion1.2 including
supportfor the selectedciphersuitesinthe selectionsinsection5.1.2.28. The TOE supportsCommon
Name (CN) andSubjectAlternative Name (SAN) (DNSandIPaddress) as referenceidentifiers.The TOE
supportsclient(mutual) authentication.The TOEinherently(withoutrequiringanyconfiguration)
supportsthe evaluatedellipticcurves(P-256andP-384); neitherthe usernorthe administratorneed
configure anythinginorderforthe TOE to supportthese curves.The TOE supportsthe use of wildcards
inX.509 reference identifiers(CN andSAN),andthe TOEsupportscertificate pinningthroughAndroid’s
Networksecurityconfiguration.Thisconfigurationallowsamobile applicationtospecifyone ormore
certificate publickeyhashes(SHA-1orSHA-256) alongwiththe domainandoptionallyanexpiry. With
such a configuration,the applicationwill onlyestablishaTLSconnectionif one of the publickeysinthe
certificate path matchesa“pinned”keyhash.Afterthe optional expiry,Androiddisregardsthe pinned
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
67 of 87
certificatesandperformsnopinning(topreventconnectivityissuesin appsthathave not been
updated).
FCS_TLSC_EXT.1/WLAN & FCS_TLSC_EXT.2/WLAN
The TSF supportsTLS versions1.0,1.1, and 1.2 withclient(mutual) authenticationandsupportsthe
ciphersuitesinthe selectionsinsection5.1.2.29 for use withEAP-TLSas part of WPA2. The TOE, by
design,supportsthe evaluatedellipticcurves(P-256and P-384) and requires/allowsnoconfigurationof
the supportedcurves.
6.3 User Data Protection
FDP_ACF_EXT.1/2/3
The TOE providesprotectionforhigh-level serviceslikelocation,email,calendarinadditiontoproviding
individualpermissionstowhichmobileapplicationscan requestaccess.
The TOE providesthe followingcategoriesof systemservicestoapplications:
1. Normal – A lower-riskpermissionthatgivesanapplicationaccesstoisolatedapplication-level
features,withminimal risktootherapplications,the system,or the user.The system
automaticallygrantsthistype of permissiontoa requestingapplicationatinstallation,without
askingforthe user'sexplicitapproval (thoughthe useralwayshasthe optiontoreview these
permissionsbefore installing).
2. Dangerous – A higher-riskpermissionthatwouldgivearequestingapplicationaccesstoprivate
userdata or control over the device thatcan negativelyimpactthe user.Because thistype of
permissionintroducespotential risk,the systemmaynotautomaticallygrantitto the requesting
application.Forexample,anydangerouspermissionsrequestedbyanapplicationmaybe
displayedtothe userandrequire confirmationbeforeproceeding,orsome otherapproachmay
be takento avoidthe userautomaticallyallowingthe use of suchfacilities.
3. Signature – A permissionthatthe systemistogrant onlyif the requestingapplicationissigned
withthe same certificate asthe applicationthatdeclaredthe permission.If the certificates
match, the systemautomaticallygrants the permissionwithoutnotifyingthe useroraskingfor
the user'sexplicitapproval.
4. SignatureOrSystem –A permissionthatthe systemistogrant onlyto packagesinthe Android
systemimage orthat are signedwiththe same certificates.Pleaseavoidusingthisoption,asthe
signature protectionlevelshouldbe sufficientformostneedsandworksregardlessof exactly
where applicationsare installed.Thispermissionisusedforcertainspecial situationswhere
multiple vendorshave applicationsbuiltin toa systemimage whichneedtoshare specific
featuresexplicitlybecausetheyare beingbuilttogether.
An example of anormal permissionisthe abilitytovibrate the device:
android.permission.VIBRATE.Thispermissionallowsanapplicationtomake the device vibrate,
and an applicationthatdoesnotdeclare thispermissionwouldhave itsvibrationrequestsignored.
An example of adangerousprivilegewouldbe accesstolocationservicestodeterminethe locationof
the mobile device: android.permission.ACCESS_FINE_LOCATION.The TOEcontrolsaccessto
dangerouspermissionsduringthe installationof the application.The TOEpromptsthe user to review
the application’srequestedpermissions(bydisplayingadescriptionof eachpermissiongroup,into
whichindividual permissionsmap,towhichanapplicationrequestedaccess).If the userapproves,then
the mobile device continueswiththe installationof the application.Thereafter,the mobile device grants
that applicationduringexecutionaccesstothe setof permissionsdeclaredinitsManifestfile.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
68 of 87
An example of asignature permissionisthe android.permission.BIND_VPN_SERVICE thatan
applicationmustdeclare inordertoutilize the VpnService APIsof the device.Because the permissionis
a signature permission,the mobile device onlygrantsthispermissiontoanapplicationthatrequeststhis
permission and thathasbeensignedwiththe same developerkeyusedtosignthe applicationdeclaring
the permission(inthe case of the example,the AndroidFrameworkitself).
An example of asignature permissionisthe android.permission.LOCATION_HARDWARE,which
allowsanapplicationtouse locationfeaturesinhardware (suchasthe geofencingAPI). The device
grants thispermissiontorequestingapplicationsthateitherhave beensignedwiththe same developer
keyusedto signthe androidapplicationdeclaringthe permissionsorthatreside inthe “system”
directorywithinAndroid,whichforAndroid4.4andabove,are applicationsresidinginthe /system/priv-
app/directoryon the read-onlysystempartition.Putanotherway,the device grantssystemOrSignature
permissionsbySignatureorbyvirtue of the requestingapplicationbeingpartof the “systemimage.”
Additionally,Androidincludesthe followingflagsthatlayeratopthe base categories:
1. Privileged –thispermissioncanalsobe grantedto any applicationsinstalledasprivilegedapps
on the systemimage.Pleaseavoidusingthisoption,asthe signature protectionlevel shouldbe
sufficientformostneedsandworksregardlessof exactlywhere applicationsare installed.This
permissionflagisusedforcertainspecial situationswhere multiplevendorshave applications
builtinto a systemimage whichneedtoshare specificfeaturesexplicitlybecausetheyare being
builttogether.
2. System– Oldsynonymfor"privileged".
3. Development–thispermissioncanalso(optionally) be grantedtodevelopmentapplications
(e.g.,toallowadditional locationreportingduringbetatesting).
4. Appop – thispermissioniscloselyassociatedwithanappop forcontrollingaccess.
5. pre23 – thispermissioncanbe automaticallygrantedtoappsthattarget APIlevelsbelow API
level 23(Marshmallow/6.0).
6. Installer–thispermissioncanbe automaticallygrantedtosystemappsthatinstall packages.
7. Verifier–thispermissioncanbe automaticallygrantedtosystemappsthatverifypackages.
8. Preinstalled –thispermissioncanbe automaticallygrantedtoanyapplicationpre-installedon
the systemimage (notjustprivilegedapps) (theTOEdoesnotpromptthe userto approve the
permission).
For olderapplications(those targetingAndroid’spre-23APIlevel,i.e.,APIlevel 22[lollipop] andbelow),
the TOE will promptauserat the time of applicationinstallationwhethertheyagree togrant the
applicationaccesstothe requestedservices.Thereafter(eachtime the applicationisrun),the TOEwill
grant the applicationaccesstothe servicesspecifiedduringinstall.
For newerapplications(those targetingAPIlevel23 or later),the TOEgrants individualpermissionsat
applicationrun-time bypromptingthe userforconfirmationof eachpermissionscategoryrequestedby
the application(andonlygrantingthe permissionif the userchoosestograntit).
While Androidprovidesalarge numberof individual permissions,theyare generallygroupedinto
categoriesorfeaturesthatprovide similarfunctionality. Table 21showsa seriesof functional categories
centeredoncommonfunctionality.
Service Features Description
Sensitive I/O Devices & Sensors Location services,Audio & Video capture, Body sensors
User Personal Information & Credentials Contacts, Calendar, Call logs,SMS
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
69 of 87
Service Features Description
Metadata & Device ID Information IMEI, Phone Number
Data Storage Protection SD Card, App data,App cache
System Settings & Application
Management
Date time, Reboot/Shutdown, Sleep, Force-closeapplication,
Administrator Enrollment
Wi-Fi, Bluetooth, USB Access Wi-Fi,Bluetooth, USB tethering, debugging and filetransfer
Mobile Device Management &
Administration
MDM APIs
Peripheral Hardware NFC, Camera, Headphones
Security & Encryption Certificate/Key Management, Password,Revocation rules
Table 21 - Access Control Categories
FDP_DAR_EXT.1
The TOE providesencryptionof all data(whichincludesbothuserdataand TSF data) storedon the data
partition andon external media(suchasan SD Card) of the TOE. There are three different
implementationsof encryptiondependingonthe device andthe storage mediabeingprotected. All
devices supportthe same methodonexternalmedia.The followingtable showsthe different
implementationsthatare available forinternal storage.
Device Implementation
S10 5G/S10+/S10/S10e/Fold FBE
S9/S9+/Note9 ODE
Tab S4 ODE
S8/S8+/S8 Active/Note8 ODE
Table 22 - DAR Encryption Implementations
The TOEs supportingODEalsohave TSF data for the ODE keys,which the TOE storesoutside the ODE
encrypteddatapartition.ForitsODE encryptionof the data partition(where the TOEstoresall userdata
and all applicationdata),the TOEusesan AES-256 bit DEK withXTSmode to encryptthe entire partition.
The TOEs supportingFBEencryptdata usingXTS-AES-256usinga unique File ContentEncryptionKey
(FCEK) foreach file.Filemetadata(suchasfilenames)isencryptedseparately withAES-CBC-CTSwitha
unique File Name EncryptionKey(FNEK)foreachfile.FBEsupportstwoseparate classesof protection,
credentialedanddevice.While eachclassisencrypted,the difference iswhetherthe encryptionis
chainedtothe user’scredentials. Bydefaultall dataisstoredinthe credential class,andapplications
that will store datainthe device classare definedduringthe installationof the application.Device class
data can be accessedassoonas the device hasstarted,includingpriortothe firstuserauthentication.
For the protectionof data storedonexternal media (SDCard),the TOEalso provides AES-256-CBC
encryptionof protecteddatastoredusingFEKs.The TOE encryptseachindividual file storedonthe SD
Card, generatingaunique FEKforeachfile.
The TOE’s systemexecutables,libraries,andtheirconfigurationdatareside inaread-onlyfilesystem
outside the datapartition.
FDP_DAR_EXT.2
The TOE, as part of the Knox PlatformforEnterprise,providesmobile applicationsthe abilitytostore
sensitivedataandhave the TOE encryptitaccordingly.Basedonthe Work environmentlock-state,
sensitivedataprotectedbythismechanismwill be encryptedwhenlocked(eitherdirectlybythe user
viatimeout).Anapplicationcandeterminewhethersensitive datashouldremainencryptedinthis
manneror if it shouldbe re-encrypted(suchasbya symmetrickeyforbetterperformance). Applications
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
70 of 87
can use thisto receive andstore data securely while the Workenvironmentislocked(suchasan email
application).
FDP_IFC_EXT.1
The TOE supportsthe installationof VPN Clientapplications,whichcanmake use of the providedVPN
APIsinorder toconfigure the TOE’sroutingfunctionalitytodirectall trafficthroughthe VPN.The TOE
alsoincludesanIPsecVPN Clientthatensuresall trafficotherthantrafficnecessarytoestablishthe VPN
connection(forexample,ARP,802.11-2012 traffic,IKEv1,and IKEv2) flowsthroughthe VPN. The TOE
routesall packetsthroughthe kernel’sIPsecinterface (ipsec0) whenthe VPN isactive.The kernel
comparespacketsroutedthroughthisinterface tothe SPDsconfiguredforthe VPN todetermine
whethertoPROTECT,BYPASS,or DISCARDeach packet.The vendordevelopedthe TOE’sVPN,when
operatinginCCMode, to allownoconfigurationandalwaysforce all trafficthroughthe VPN.The TOE
ignores anyIKEv2 trafficselectornegotiationswiththe VPN GWand will alwayscreate anSPDPROTECT
rule that matchesall traffic.Thus,the kernel will matchall packets,subsequentlyencryptthose packets,
and finallyforwardthemtothe VPN Gateway.
FDP_PBA_EXT.1
The TOE requiresthe usertoentertheirpasswordtoenroll,re-enrollorun-enrollanybiometric
templates. Whenthe userattemptsbiometricauthenticationtothe TOE,the biometricsensortakesan
image of the presentedbiometricforcomparisonto the enrolledtemplates. The capturedimage is
comparedto all the storedtemplatesonthe device todetermine if there isamatch. The complete
biometricauthenticationprocessishandledinsidethe TEE(includingimage capture,all processingand
match determination).The image isprovidedtothe biometricservicetocheckthe enrolledtemplates
for a match to the capturedimage.
FDP_RIP.2
The TOE has beendesignedtoensure thatnoresidual informationexistsinnetworkpackets whenthe
VPN isturnedon.Whenthe TOE allocatesanew bufferforeitheranincomingoroutgoinga network
packet,the newpacketdata will be usedtooverwrite anypreviousdatainthe buffer.If anallocated
bufferexceedsthe size of the packet,anyadditional space will be overwritten(padded)withzeros
before the packetisforwarded(tothe external networkordeliveredtothe appropriate internal
application).
FDP_STG_EXT.1
The TOE’s TrustedAnchorDatabase consistsof the built-incerts(individuallystoredin
/system/etc/security/cacerts)whichthe usercandisable usingthe TOE’sAndroiduser
interface [Settings->Security->TrustedCredentials] and consistsof anyadditional useroradmin/MDM
loadedcertificates.Disableddefaultcertificatesanduseraddedcertificatesreside inthe
/data/misc/user/0/cacerts-removedand/data/misc/user/0/cacerts-added
directoriesrespectively.The built-inonesare protected, astheyare part of the TSF’s readonlysystem
partition,whilethe TOEprotectsuser-loadedcertificatesbystoringthemwith appropriate permissions
to preventmodificationbymobile applications.The TOEalsostoresthe user-loadedcertificatesinthe
user’skeystore.
FDP_UPC_EXT.1
The TOE providesAPIsallowingnon-TSFapplications(mobileapplications) the ability toestablisha
secure channel usingIPsec,TLS,HTTPS,BluetoothBR/EDRand BluetoothLE.Mobile applicationscanuse
the followingAndroidAPIsforIPsec,TLS,HTTPS,andBluetoothrespectively:
android.net.VpnService
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
71 of 87
https://developer.android.com/reference/android/net/VpnService.html
com.samsung.android.knox.net.vpn
https://seap.samsung.com/api-
references/android/reference/com/samsung/android/knox/net/vpn/package-summary.html
javax.net.ssl.SSLContex
http://developer.android.com/reference/javax/net/ssl/SSLContext.html
javax.net.ssl.HttpsURLConnection
http://developer.android.com/reference/javax/net/ssl/HttpsURLConnection.html
android.bluetooth
http://developer.android.com/reference/android/bluetooth/package-summary.html
6.4 Identification and Authentication
FIA_AFL_EXT.1
The TOE maintainsthree separate lockscreens: the bootlockscreen,the device (Android) lockscreen
and a lockscreenfor Knox Workspace containers. Eachlockscreenmaintainsindividuallystored(in
separate Flashlocations) failedloginattemptcounters.
The boot lockscreenis available ondevicesthatsupportODE(see Table 22 for the listof devices). The
bootlock screenappearsaftera powercycle andduringthistime the userdata partitionisencrypted
and the TOE doesnot have accessto data storedwithinit.The bootlock screendoesnotsupport
biometricsforauthentication.
The secondlockscreenis the device (orAndroid) lockscreen,duringwhichtime the TOEisactive.For
devicesthatsupportFBE (see Table 22 forthe listof devices),afterapowercycle the TOE doesnot have
access to encrypteduserdata.Afterthe firstauthenticationonanFBE device,there are nodifferences
betweenODEandFBE as to the operationof the device lockscreen.
The TOE maintains,foreachlockscreen,the numberof failedloginssince the lastsuccessful login,and
uponreachingthe maximumnumberof incorrectloginsthe TOEperformsafull wipe of all protected
data (andin fact,wipesall users’data).The TOE maintains the numberof failedloginsacrosspower-
cycles(sofor example,assumingaconfiguredmaximumretryof tenincorrectattempts,if one were to
enterfive incorrectpasswordsandpowercycle the phone,the phone wouldonlyallow fivemore
incorrectloginattemptsbefore wiping) bystoringthe numberof loginsremainingwithinitsFlashfile
system.Anadministratorcanadjustthe numberof failedloginstoavalue betweenone and30 through
an MDM, and thissettingwill be usedatbothlockscreens5
.
For userswithbiometricsenabled,biometricauthenticationattemptsare maintainedalongwiththe
passwordattempts.Inall cases,biometricorhybridauthenticationmechanismsare non-critical and
cannot be the authenticationmethodthattriggersanaction(device orWorkspace containerwipe).
The maximumnumberof incorrectpasswordauthenticationattemptscanbe configuredtoavalue
between1and 30. The maximumnumberof biometricattemptsis10 (andcannot be changed).The
usercan attempt10 biometricattemptsfollowedbythe maximumnumberof passwordattempts
5 Verizon devices supportingODE only supporta maximum of 10 failed attempts at the boot lock screen, but will
accept any values below 10 configured by the MDM.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
72 of 87
before the TOE will wipe itself.Forexample,if the counterwere setto15, 10 biometricattemptswould
be followedby15 passwordattemptsbefore the device waswiped.Alternatively,the usermightenter
14 incorrectpasswords, andthen tenfailedbiometricauthenticationattemptsfollowedbyafinal
incorrectpasswordattempt.
The TOE’s Knox Workspace containerprovidesitsownlockscreen,whichallowspassword
authenticationorhybridauthentication(biometricandpassword).The hybridauthentication method
requiresthe usertoauthenticate withabiometricanda passwordinsequential order.Tologin,the user
mustfirstenterhisor her Knox biometricandonlyuponsuccessfullyverifyingthe user’sbiometric,the
TOE promptsthe Userfor theirKnox password,andthe usermustentertheirpassword.Knox will count
the numberof incorrectpasswordsattempted,andwipe the Knox Workspace container(andits
associateddata) afterthe userreachesthe configurednumberof incorrectattempts.
The TOE validatespasswordsbyprovidingthemtoAndroid’sGatekeeper(whichrunsinthe Trusted
ExecutionEnvironment), andif the presentedpasswordfailstovalidate,the TOEincrementsthe failed
attemptcounterbefore displayingavisual errorto the user.The TOE validatesbiometricattempts
throughthe biometricservice (whichrunsinthe TrustedExecutionEnvironment),andif the presented
biometricdoesnotmatchthe registeredtemplates,the TOEincrementsthe failedattemptcounter
before displayingavisual errortothe user.
FIA_BLT_EXT.1
The TOE requiresexplicituserauthorizationbefore itwill pairwitharemote Bluetoothdevice.When
pairingwith anotherdevice,the TOErequiresthatthe usereitherconfirmthatadisplayednumeric
passcode matchesbetweenthe twodevicesorthatthe userenter(or choose) anumericpasscode that
the peerdevice generates(ormustenter).
FIA_BLT_EXT.2
The TOE requiresexplicituserauthorizationoruserauthorizationbefore datatransfersoverthe link.
Whentransferringdatawithanotherdevice,the TOErequiresthatthe usermustconfirman
authorizationpopupdisplayedallowingdatatransfer(Obex ObjectPush) orconfirmthe userpasskey
displayednumericpasscode matchesbetweenthe twodevices(RFCOMM).
FIA_BLT_EXT.3
The TOE tracks active connectionsandactivelyignoresconnectionattemptsfromBluetoothdevice
addressesforwhichthe TOE alreadyhasan active connection.
FIA_BLT_EXT.4
The TOE’s Bluetoothhostandcontroller supportBluetoothSecureSimple Pairingandthe TOE utilizes
thispairingmethodwhenthe remote hostalsosupportsit.
FIA_BLT_EXT.6
The TOE supportsOPPandMAP profile ona perservice basis(asopposedtoa perapp basis)6
.
FIA_BMG_EXT.1(1)/.1(2)/.1(3):
The TOE providesoptionsforfingerprint andirisbiometricauthentication. Table 23- Device biometric
sensorshowswhichbiometricsubsystemsare availableoneachdevice. The devicesunderevaluation
have twodifferentfingerprintsubsystems:animage-basedsystem(fingerprint-I) andanultrasonic-
basedsystem(fingerprint-U).
Device Fingerprint-I Fingerprint-U Iris
6 The Galaxy Tab S4 does not provideMAP profilesupport.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
73 of 87
Device Fingerprint-I Fingerprint-U Iris
Galaxy S10 5G (Samsung) X
Galaxy S10 5G (Qualcomm) X
Galaxy S10+(Samsung) X
Galaxy S10+(Qualcomm) X
Galaxy S10 (Samsung) X
Galaxy S10 (Qualcomm) X
Galaxy S10e(Samsung) X
Galaxy S10e(Qualcomm) X
Galaxy Fold (Qualcomm) X
Galaxy Note9 (Samsung) X X
Galaxy Note9 (Qualcomm) X X
Galaxy Tab S4 X
Galaxy S9+ (Samsung) X X
Galaxy S9+ (Qualcomm) X X
Galaxy S9 (Samsung) X X
Galaxy S9 (Qualcomm) X X
Galaxy Note8 (Samsung) X X
Galaxy Note8 (Qualcomm) X X
Galaxy S8+ (Samsung) X X
Galaxy S8+ (Qualcomm) X X
Galaxy S8 (Samsung) X X
Galaxy S8 (Qualcomm) X X
Galaxy S8 Active X X
Table 23 - Device biometric sensor
In the evaluatedconfiguration,the maximum numberof authenticationattemptsis40 before awipe
eventistriggered.Thismeansthatonall devicesupto10 biometricattemptsand30 passwordattempts
couldbe made before a wipe occurs.Usingthisas the worst-case scenarioleadstoamaximumof 10
biometricattemptsthatcanbe made for the SAFARcalculations. Alldevicesorconfigurationsprovide
for fewerattempts(bothpasswordandbiometric),andsoany resultingSAFARwouldbe lowerthanthis
scenario. The lastattemptbefore awipe mustbe a passwordattempt.
For a password-onlyconfiguration,the SAFARclaimwouldbe 1:1,000,000 whensetfor 10 attempts.The
passwordminimumlengthis4 charactersand there are 93 possible charactersthatcan be usedinthe
password.Thisisnot claimedsince thisconfiguration(i.e.nobiometricauthenticationallowed) would
not require FIA_BMG_EXT.1,but isshownhere forthe overall SAFARcalculations.
𝑆𝐴𝐹𝐴𝑅𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑 = 1 − (1 − 1
93
⁄
4
)
30
= 4.010 ∗ 10−7
The FAR for fingerprint is1:10,000 andthe FRR is3%. The SAFARwhena fingerprint isinuse is1:1,000
basedon a maximumof 10 attemptsof the biometricasnotedinthe worst-case scenario.
𝑆𝐴𝐹𝐴𝑅𝑓𝑖𝑛𝑔𝑒𝑟𝑝𝑟𝑖𝑛𝑡 = 1 − (1 − 10−4)10 = 9.996 ∗ 10−4
The FAR for irisis1:100,000 and the FRR is3%. The SAFARwhenanirisisin use is1:10,000 basedona
maximumof 10 attemptsof the biometricasnotedinthe worst-case scenario.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
74 of 87
𝑆𝐴𝐹𝐴𝑅𝑖𝑟𝑖𝑠 = 1 − (1 − 10−5)10 = 9.996 ∗ 10−5
For all SAFARcalculationsthe passwordisconsideredacritical factorfor all combinedfactorSAFARany
calculationsasdetailedinMDFPP31sectionH.4.The SAFARany for each modalityisshownbelow.The
valuesare acceptedbecause theyare withinthe 1% marginallowedbyMDFPP31.
For deviceswhichsupportfingerprintbiometrics,SAFARfingerprint can be usedfor the calculationof a
worst-case scenario.
𝑆𝐴𝐹𝐴𝑅𝑎𝑛𝑦−𝑓𝑖𝑛𝑔𝑒𝑟𝑝𝑟𝑖𝑛𝑡 = 1 − (1 − 𝑆𝐴𝐹𝐴𝑅𝑓𝑓) ∗ (1 − 𝑆𝐴𝐹𝐴𝑅𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑)
𝑆𝐴𝐹𝐴𝑅𝑎𝑛𝑦−𝑓𝑓 = 1.00022 ∗ 10−3
For devices thatsupportirisbiometricsthe SAFARany can be calculatedusingSAFARiris forcalculatinga
worst-case scenario.
𝑆𝐴𝐹𝐴𝑅𝑎𝑛𝑦−𝑖𝑟𝑖𝑠 = 1 − (1 − 𝑆𝐴𝐹𝐴𝑅𝑖𝑟𝑖𝑠)∗ (1 − 𝑆𝐴𝐹𝐴𝑅𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑)
𝑆𝐴𝐹𝐴𝑅𝑎𝑛𝑦−𝑖𝑟𝑖𝑠 = 1.00361 ∗ 10−4
The Knox PlatformforEnterprise provideshybrid (multi-factor:passwordandfingerprintand/oriris)
authentication.Whenusingthe hybridauthenticationmechanism, the usermustenteracorrect
biometricfactorandthena correct passwordinorderto successfullyunlockthe container.
The SAFARwhena hybridmechanismisinuse isequal toSAFARpassword as there is nolimittothe number
of biometricattempts,buteventuallythe biometricfactormustbe enteredcorrectlyandthenone must
alwaysentera correct password.Giventhe potentiallyunlimited biometricattempts,althoughthat
couldtake a verylongtime givensome imposeddelays,thatfactorisdiscountedincalculatingthe
SAFAR.The passwordminimumlengthis4 charactersand there are 93 possible charactersthatcanbe
usedinthe password.
𝑆𝐴𝐹𝐴𝑅ℎ𝑦𝑏𝑟𝑖𝑑 = 𝑆𝐴𝐹𝐴𝑅𝑝𝑎𝑠𝑠𝑤𝑜𝑟𝑑
The biometricFAR/FRRvaluesare testedinternallybytwoindependentgroupsusingdifferent
methodologies.The firstsetof testsare “offline”inthata speciallyconfigureddevice isconnectedtoa
testharnessand usedtoenroll biometricsamplesforstorage.The testharnessthenusesthe samplesto
run throughnumerouscombinationsof the samplestodetermine FAR/FRRresultsthatare usedtotune
the algorithmscontrollingthe biometricsystem.Once testingiscompleteasecondsetof testsare
performedinan“online”mannerwhere the testingisdone withusersdirectlytestingonalive device.
All deviceswithdifferenthardware combinationsthatcouldaffectthe biometricsubsystemare tested.
For example,boththe ExynosandQualcommversionsof the mobiledevicesare testedindividuallysince
the TrustZone componentsineachdevice are different.These testsare integratedintothe production
processand soare repeatedcontinuallyduringthe developmentprocess.
FIA_BMG_EXT.6
The TOE fingerprint-UbiometricmodalityprovidesPresentationAttackDetection (PAD)tothe
intermediate levelasdefinedbythe [IBPC] reference paper. Samsunghasvalidatedthisbiometric
modalitytothe FIDO® Alliance BiometricCertificationthroughanexternallab.The FIDOBiometric
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
75 of 87
CertificationRequirementscanbe foundhere: https://fidoalliance.org/specs/biometric/Biometrics-
Requirements-v1.0-wd-20180830.html and the certificationlistingcanbe foundhere (searchfor
Biometric):https://fidoalliance.org/certification/fido-certified-products/.
Slide 10 of the [IBPC] presentationprovidesforamoderate attackpotential (equal tointermediatein
thisrequirement).Thistype of attack equatestoa Level BPresentationAttackInstrument(PAI)species
inthe FIDOBiometricCertificationRequirements.The PADtestingfocusedonnon-cooperative print
collectionandthenthe generationof bothvariousPAIspeciesforeachlevel(A andB forFIDO, Basicand
IntermediateforCommonCriteria).The specificPAIspecieswere determinedandcreated
independentlybythe lab.
FIA_PAE_EXT.1
The TOE can joinWPA2-802.1X (802.11i) wirelessnetworksrequiringEAP-TLSauthentication,actingasa
client/supplicant(andinthatrole connectto the 802.11 access pointandcommunicate withthe 802.1X
authentication server).
FIA_PMG_EXT.1
The TOE authenticatesthe userthroughapasswordconsistingof basicLatincharacters(upperand
lowercase,numbers,andthe special charactersnotedinthe selection(see section 5.1.4.12)).The TOE
can supporta minimumpasswordlengthof asfew asfour charactersand a maximumof no more than
sixteencharacters.The TOEdefaultstorequiringpasswordstohave aminimumof fourcharacters that
containat leastone letterandone number.AnMDM applicationcan change these defaults andimpose
passwordrestrictions(like quality,specifyanotherminimumlength,the minimumnumberof letters,
numericcharacters,lowercase letters,uppercase letters,symbols,andnon-letters).
FIA_PSK_EXT.1
The TOE supportsthe use of pre-sharedkeys(the TOEallows 1to 64 character PSKs) forIPsecVPNs.Pre-
sharedkeys can include anyletterfroma-z,A-Z,the numbers0– 9, and the special characterlocated
above the numbersona US keyboard(“!@#$%^&*()”).The specificlengthof 22 characters requiredby
the VPNC21 issupportedbythe TOE. The TOE doesnotperformanyprocessingonpre-sharedkeys.The
TOE simplyusesthe pre-sharedkeythatwasenteredby the useroradministrator.
FIA_TRT_EXT.1
The TOE allowsuserstoauthenticate throughexternal ports(eitheraUSB keyboardora Bluetooth
keyboardpairedinadvance of the loginattempt).If notusinganexternal keyboard,ausermust
authenticate through the standardUserInterface (usingthe TOEtouchscreen).The TOElimitsthe
numberof authenticationattemptsthroughthe UItono more than five attemptswithin30seconds
(irrespective of whatkeyboardthe operatoruses). Thusif the current[the nth
] and priorfour
authenticationattemptshave failed,andthe n-4th
attemptwaslessthan30 secondago, the TOE will
preventanyfurtherauthenticationattemptsuntil30secondshas elapsed.Note aswell thatthe TOEwill
wipe itself whenitreachesthe maximumnumberof unsuccessful authenticationattempts(asdescribed
inFIA_AFL_EXT.1 above).
FIA_UAU.5
The TOE allowsthe followingauthenticationmethodsatthe differentlockscreensinCCmode.The
available biometricsare dependentonthe device,MDMconfigurationandenrolledtemplates. Table 23
- Device biometricsensorshowsthe specificbiometricmodalitiesavailable oneachdevice.
Device Boot Lock Device Lock Knox Workspace Container Lock
S10 5G/S10+/S10/S10e/Fold N/A Password,Biometrics Password,Hybrid
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
76 of 87
Device Boot Lock Device Lock Knox Workspace Container Lock
S9/S9+/Note9 Password Password,Biometrics Password,Hybrid
Tab S4 Password Password,Biometrics Password,Hybrid
S8/S8+/S8 Active/Note8 Password Password,Biometrics Password,Hybrid
Table 24 – Allowed Lock Screen Authentication Methods
The TOE prohibitsotherauthenticationmechanismssuchaspatternor swipe.Use of Smart Lock
mechanisms(on-bodydetection,trustedplaces,trusteddevices,trustedface, andtrusted voice)and
PIN can be blockedthroughmanagementcontrols.Uponrestartor power-upthe usercanonlyuse a
passwordforauthenticationatthe firstlockscreen (whetherthisisthe bootlockor device lockscreen).
Once past this initial authenticationscreenthe userisable touse one of the configuredmethodsatthe
device lockscreentologinandthe Knox Workspace containerlockscreen.
FIA_UAU.6(1)/FIA_UAU.6(2)
The TOE requiresthe usertoentertheirpassword orsupplytheirbiometricinordertounlockthe TOE.
Additionallythe TOErequiresthe usertoconfirmtheircurrentpasswordwhenaccessingthe “Settings-
>Display->LockScreen->ScreenSecurity->Selectscreenlock”menuinthe TOE’suserinterface.The TOE
can disable SmartLock throughmanagementcontrols.Onlyafterenteringtheircurrentuserpassword
can the userthenelecttochange theirpassword.
FIA_UAU.7
The TOE’s three lockscreens(bootlockscreen,device lockscreen,and Knox Workspace containerlock
screen),bydefault,brieflydisplaythe mostrecentlyenteredpasswordcharacterandthen obscuresthe
character by replacingthe displayedcharacterwithadot symbol.The usercanconfigure the TOE’s
behaviorforthe device lockscreensothatit doesnotbrieflydisplaythe lasttypedcharacter;however,
the TOE alwaysbrieflydisplaysthe lastenteredcharacterforthe boot lockscreenand Knox Workspace
containerlockscreen.Additionally,the TOE’s device lockscreendoesnotprovide anyfeedbackother
than a notificationof afailedbiometric(fingerprint oriris) authenticationattempt(“notrecognized”).
Similarly,the TOE’s Knox Workspace containerlockscreen,whenconfiguredforhybridauthentication,
displaysonlyanindication(“nomatch”) of a failedbiometricattempt.
FIA_UAU_EXT.1
The TOE's KeyHierarchyrequiresthe user'spasswordinordertoderive the sHEKinorder to decrypt
otherKEKs andDEKs. Thus,until ithas the user'spassword,the TOE cannot decryptthe DEK utilizedby
ODE or FBE to decryptprotecteddata.
FIA_UAU_EXT.2
The TOE, whenconfiguredtorequire userauthentication(asisthe case inCC mode),allowsonlythose
actionsdescribedinsection 5.1.4.20. Beyondthose actions,ausercannotperformany otheractions
otherthan observingnotificationsdisplayedonthe lockscreenuntil aftersuccessfullyauthenticating.
The GalaxyFold,GalaxyS10e, GalaxyTab S4 andGalaxyS8 Active devicesdonotsupportEdge
applications,andare notavailable onthese devices.
FIA_X509_EXT.1
The TOE checksthe validityof all importedCA certificatesbycheckingforthe presence of the
basicConstraintsextensionandthatthe CA flagis setto TRUE as the TOE importsthe certificate intothe
TOE’s Trust AnchorDatabase.If the TOE detectsthe absence of eitherthe extensionorflag,the TOE will
importthe certificate asa userpublickeyandadd it to the keystore (notthe TrustAnchorDatabase).
The TOE alsochecksfor the presence of the basicConstraintsextensionandCA flagineach CA certificate
ina server’scertificate chain.Similarly,the TOEverifiesthe extendedKeyUsage ServerAuthentication
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
77 of 87
purpose duringcertificate validation.The TOE’scertificatevalidationalgorithmexamineseachcertificate
inthe path(startingwiththe peer’scertificate) andfirstchecksforvalidityof thatcertificate (e.g.,has
the certificate expired?orisitnot yetvalid?whetherthe certificate containsthe appropriate X.509
extensions[e.g.,the CA flaginthe basicconstraintsextensionforaCA certificate,orthata server
certificate containsthe ServerAuthenticationpurpose inthe extendedKeyUsage field]),thenverifies
each certificate inthe chain(applyingthe same rulesasabove,butalsoensuringthatthe Issuerof each
certificate matchesthe Subjectinthe nextrung“up”in the chainand that the chainendsina self-signed
certificate presentineitherthe TOE’strustedanchordatabase or matchesa specifiedRootCA),and
finallythe TOEperformsrevocationcheckingfor all certificatesinthe chain.
FIA_X509_EXT.2/FIA_X509_EXT.2/WLAN
The TOE usesX.509v3 certificates aspartof EAP-TLS,TLS,HTTPS andIPsecauthentication.The TOE
comeswitha built-insetof defaultTrustedCredentials(Android'ssetof trustedCA certificates).While
the usercannot remove anyof the built-indefaultCA certificates,the usercandisable anyof those
certificatesthroughthe userinterface sothatcertificatesissuedbydisabledCA’scannotvalidate
successfully.Inaddition,ausercan importa new trustedCA certificate intothe Keystore oran
administratorcaninstall anewcertificate throughanMDM.
The TOE doesnotestablishTLS or HTTPS connectionsitself (beyondEAP-TLSusedforWPA2Wi-Fi
connections),butprovidesaseriesof APIsthatmobile applicationscanuse to checkthe validityof a
peercertificate.WhenestablishinganEAP-TLSconnection,the TOEdoesnotcheckfor certificate
revocationasthe revocationserversare notavailable until afterthe EAP-TLSconnectionisestablished.
The mobile application,aftercorrectlyusingthe specifiedAPIs,canbe assuredas to the validityof the
peercertificate andwill notestablishthe trustedconnectionif the peercertificatecannotbe verified
(includingvalidity,certificationpath,andrevocation[throughCRL andOCSP]).
The VPN requiresthatforeach VPN profile,the userspecifythe clientcertificate the TOEwill use (the
certificate musthave beenpreviouslyimported intothe keystore) andspecifythe CA certificate towhich
the server’scertificate mustchain.The VPN thususesthe specifiedcertificate whenattemptingto
establishthatVPN connection.Whenestablishingaconnectiontoa VPN server,the VPN firstcompares
the Identification(ID) Payloadreceivedfromthe serveragainstthe certificate sentbythe server,andif
the DN of the certificate doesnotmatchthe ID, thenthe TOE doesnot establishthe connection.
Duringrevocationchecking(foranytype of connection exceptEAP-TLS),the TOEfirstattemptsto
determine acertificate’srevocationstatusthroughOCSP(if the AuthorityInformationAccess,AIA,
extensionispresent).If the certificatelacksAIA orif the OCSPserverdoesnotrespond,or if the OCSP
responderreturnsanunknownstatus,the TOEattemptsto determine revocationstatususingCRLs,if
the certificate includesaCRL DistributionPoint (CDP).If the TOEcannotestablishaconnectionwiththe
serveractingas the CDP, the TOE will deemthe server’scertificate asinvalidandnotestablisha TLS
connectionwiththe server.Note thatthe VPN onlychecksOCSPforrevocation.
FIA_X509_EXT.3
The TOE’s Androidoperatingsystemprovidesapplicationsthe
java.security.cert.CertPathValidatorAPIClassof methods forvalidatingcertificatesand
certificationpaths(certificatechainsestablishingatrust chainfroma certificate toa trustanchor).This
classis alsorecommendedtobe usedbythird-partyAndroiddevelopersforcertificate validation.
However, TrustedCertificateStoremustbe usedtochaincertificatestothe AndroidSystem
Trust AnchorDatabase (anchorsshouldbe retrievedandprovidedtoPKIXParametersusedby
CertPathValidator).The available APIsmaybe foundhere:
http://developer.android.com/reference/java/security/cert/package-summary.html
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
78 of 87
6.5 Security Management
FMT_MOF_EXT.1/FMT_SMF_EXT.1
The TOE providesthe managementfunctions describedin Table 8- SecurityManagementFunctions.
The table includesannotationsdescribingthe rolesthathave accesstoeach service andhow to access
the service.The TOE enforcesadministrative configuredrestrictionsbyrejectinguserconfiguration
(throughthe UI) whenattempted.
FMT_SMF_EXT.1/WLAN
The TOE providesthe managementfunctionsdescribedin Table 8- SecurityManagementFunctions
Rows48-55. The table includes annotationsdescribingthe rolesthathave accessto eachservice and
howto access the service.The TOE enforcesadministrative configuredrestrictions byrejectinguser
configuration(throughthe UI) whenattempted.Itisworthnotingthatthe TOE’s abilitytospecify
authorizedapplicationrepositoriestakesthe formof allowingenterprise applications(i.e.,restricting
applicationstoonlythose applicationsinstalledbyanMDM Agent).
FMT_SMF.1/VPN
The TOE providesthe managementfunctionsdescribedin Table 8- SecurityManagementFunctions
Rows56-61. Inaddition,the VPN Gateway,actingasadministrator,canspecifythe IKEalgorithms,
protocolsandauthenticationtechniques,andthe cryptoperiodforsessionkeys.
The TOE providesusersthe abilitytospecifyanX.509v3 certificate (previouslyloadedintothe TOE
Platform’skeystore) forthe TOEto use to authenticate tothe VPN gatewayduringIPsecpeer
authenticationaswell asanX.509v3 certificate touse as the CA certificate.The TOEalternatively
providesusersthe abilitytoenteraPre-SharedKeytobe usedinlieuof anX.509v3 certificate during
IPsecpeerauthentication.
FMT_SMF_EXT.2
A usercan unenroll anMDM agentfrom the device inone of twoways.First,a usercan revoke the
MDM agent’sadministrativeprivilegesthroughthe Settingsapp(Settings->Security&Location->Device
adminapps) and thenuninstall the agent. Thismethodassumesthatthe MDMagent doesblockthe
userfrom revokingthe agent’sadministratorprivileges.Whenunenrolledinthisfashion,the devicewill
remove the Knox Workspace container,the container’sapplicationsanddata.In effect,thistranslatesto
the selectionsof wipingall sensitive data(all Knox Workspace containerdata),removingall Enterprise
applications(all containerapplications),removingall device-storedEnterprise applicationdata(all
containerapplicationdata),andremovingEnterprisesecondaryauthenticationdata(Knox password
and/orfingerprint).
In the case where anMDM agentblocksthe user fromrevokingthe agent’sadministrative privileges,a
usercan onlyunenroll bywipingthe entiredevice. Bydoingthis,the usercausesthe device towipe all
protecteddata(wipingall data,includingboththe user’sprotecteddataandany Enterprise/Knox
Workspace containerdata) as well asremove MDMpoliciesanddisablingCCmode (asthe device
returnsto factorydefaults).
FMT_SMF_EXT.3
The TOE providesthe userwiththe abilitytosee all appsinstalledonthe device thathave administrative
capabilities.Eachapplistingalsoshowsthe statusof the app privilegesforadministration(enabledor
disabled) andthe permissions the apphason the device.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
79 of 87
6.6 Protection of the TSF
FPT_AEX_EXT.1
The Linux kernel of the TOE’sAndroidoperatingsystemprovidesaddressspace layoutrandomization
utilizinganon-cryptographickernelrandomfunctiontoprovide 8unpredictable bitstothe base address
of anyuser-space memorymapping.The randomfunction,thoughnotcryptographic,ensuresthatone
cannot predictthe value of the bits.
FPT_AEX_EXT.2/FPT_AEX_EXT.6
The TOE's Android 9 operatingsystemutilizes4.14/4.9/4.4 Linux kernels,whose memorymanagement
unit(MMU) enforcesread,write,andexecutepermissionsonall pagesof virtual memoryandensures
that write andexecute permissionsare notsimultaneouslygrantedonall memory(exceptionsare only
made for DalvikJITcompilation).The Androidoperatingsystemsetsthe ARMeXecute Never(XN) biton
memorypagesandthe MMU circuitry of the TOE’s ARMv8 ApplicationProcessorenforcesthe XN bits.
From Android’s security documentation(https://source.android.com/security/), Androidsupports
“Hardware-basedNoeXecute (NX) topreventcode executiononthe stackand heap”.Section D.5of the
ARMv8 Architecture ReferenceManual containsadditional detailsaboutthe MMU of ARM-based
processors:http://infocenter.arm.com/help/index.jsp?topic=/com.arm.doc.ddi0487a.f/index.html.
FPT_AEX_EXT.3
The TOE's Androidoperatingsystemprovidesexplicitmechanismstopreventstackbufferoverruns
(enabling-fstack-protector)inadditiontotakingadvantage of hardware-basedNoeXecute toprevent
code executiononthe stackand heap.Samsungrequiresandappliesthese protectionstoall TSF
executable binariesandlibraries.
FPT_AEX_EXT.4
The TOE protects itself frommodificationbyuntrustedsubjectsusingavarietyof methods.The first
protectionemployedbythe TOEis a Secure Bootprocessthat usescryptographicsignaturestoensure
the authenticityandintegrityof the bootloaderandkernelsusingdatafusedintothe device processor.
The TOE’s Secure Boot processemploysaseriesof publickeystoforma chainof trust that operatesas
follows.The ApplicationProcessor(AP) containsthe hashof the Secure BootPublicKey(akey
embeddedinthe endof the signedbootloaderimage),anduponverifyingthe SBPKattachedtothe
bootloaderproducesthe expectedhash,the APusesthispublickeytoverifythe signature of the
bootloaderimage,toensure itsintegrityandauthenticitybefore transitioningexecutiontothe
bootloader.The bootloader,inturn,containsthe Image SigningPublicKey(ISPK),whichthe bootloader
will use toverifythe signature oneitherkernel image(primarykernel imageorrecoverykernel image).
The signingkeytype andhash type usedare listedin Table 25 - Secure BootPublicKeys.
Device Signing Key Hash
S10 5G/S10+/S10/S10e with Exynos 9820 ECDSA P384 SHA-256
All other devices RSA 2048 SHA-256
Table 25 - Secure Boot Public Keys
Note that whenconfiguredforCommonCriteriamode,the TOEonlyacceptsupdatestothe TOE FOTA;
however,whennotconfiguredforCCmode,the TOE allowsupdatesthroughthe bootloader’s ODIN
mode.The primarykernel includesanembeddedFOTA PublicKey,whichthe TOEusestoverifythe
authenticityandintegrityof FOTA update signatures(whichcontainaPKCS 2.1 PSS RSA 2048 w/ SHA-
512 signature).
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
80 of 87
The TOE protectsaccessto the REK andderivedHEKto onlytrustedapplications7
withinthe TEE
(TrustZone).The TOEkeymanagerincludesaTEE module thatutilizesthe HEKto protectall otherkeys
inthe keyhierarchy.All TEEapplicationsare cryptographicallysigned,andwheninvokedatruntime (at
the behestof an untrustedapplication),the TEEwill onlyloadthe trustedapplicationaftersuccessfully
verifyingitscryptographicsignature.Furthermore,the device encryptionlibrary checksthe integrityof
the systembycheckingthe resultfrombothSecure Boot/SecurityManagerandfromthe IntegrityCheck
Daemonbefore servicinganyrequests.WithoutthisTEEapplication,nokeyswithinthe TOE(including
keysforScreenLock,the keystore,anduserdata) can be successfullydecrypted,andthusare useless.
The third protectionisthe TOE’sinternal SecurityManagerwatchdogservice.The SecurityManager
managesthe CC mode of the TOE by lookingforunsignedkernelsorfailuresfromother,non-
cryptographiccheckson systemintegrity,andupondetectionof afailure ineither,disablesthe CCmode
and notifiesthe TEEapplication.The TEEapplicationthenlocksitself,againrenderingall TOEkeys
useless.
Finally,the TOE’sAndroidOSprovides“sandboxing”thatensureseachnon-systemmobileapplication
executeswiththe file permissionsof aunique Linux userIDina differentvirtual memoryspace.This
ensuresthatapplicationscannotaccesseachother’smemoryspace (itispossible fortwoprocessesto
utilize sharedmemory,butnotdirectlyaccessthe memoryof anotherapplication) orfilesandcannot
access the memoryspace or filesof system-level applications.
FPT_AEX_EXT.5
The TOE providesKernelAddressSpace LayoutRandomization toensure thatthe base addressof
kernel-space memorymappingsconsistof six (6) unpredictablebits.Thisensuresthat ateach boot,the
locationof kernel datastructuresincludingthe core kernel beginsatarandom physical address,
mappingthe core kernel ata randomvirtual addressinthe vmallocarea, loadingkernel modulesata
randomvirtual addressinthe vmallocarea,and mappingsystemmemoryata randomvirtual addressin
the lineararea.
FPT_BBD_EXT.1
The TOE’s hardware and software architecture ensuresseparationof the applicationprocessor(AP)
fromthe basebandorcommunicationsprocessor(CP).Fromasoftware perspective,the APandCP
communicate logicallythroughthe AndroidRadioInterface Layer(RIL) daemon.Thisdaemon,which
executesonthe AP,coordinatesall communicationbetweenthe APandCP.Itmakesrequestsof the CP
and acceptsthe response fromthe CP;however,the RILdaemondoesnotprovide anyreciprocal
mechanismforthe CPto make requestsof the AP.Because the mobile architecture providesonlythe RIL
daemoninterface,the CPhasnomethodto accessthe resourcesof the software executingonthe AP.
FPT_JTA_EXT.1
The TOE preventsaccesstoitsprocessor’sJTAGinterface byonlyenablingJTAGwhenthe TOEhas a
special image writtentoitsbootloader/TEEpartitions.Thatspecial imagemustbe signedbythe
appropriate key(correspondingtothe publickeythathasitsSHA-256 hashprogrammedintothe
processor’sfuses).
FPT_KST_EXT.1
The TOE doesnotstore any plaintextkeymaterialinitsinternal Flash;instead,the TOEencryptsall keys
before storingthem.Thisensuresthatirrespective of how the TOEpowersdown(e.g.,ausercommands
the TOE to powerdown,the TOErebootsitself,orbatteryisremoved),all keysininternal Flashare
wrappedwitha KEK.Please referto section 6.2of the TSS for furtherinformation(includingthe KEK
7 A TrustZone applicationis a trusted applicationthat executes in a hardware-isolateddomain.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
81 of 87
used) regardingthe encryptionof keysstoredinthe internal Flash.Asthe TOEencryptsall keys storedin
Flash,uponboot-up,the TOEmust firstdecryptandutilize keys. Note aswell thatthe TOEdoesnot use
a user’sbiometricfingerprinttoencrypt/protectkeymaterial.Ratherthe TOEalwaysrequiresthe user
enterhisor herpasswordaftera reboot(inorderto derive the necessarykeystodecryptthe userdata
partitionandotherkeysinthe keyhierarchy).
FPT_KST_EXT.2
The TOE utilizesacryptographiclibraryconsistingof animplementationof BoringSSL,the Kernel Crypto
module,the SCrypto module,andthe followingsystem-level executablesthatutilize KEKs:dm-crypt(on
deviceswithODE), fscrypt(ondeviceswithFBE), eCryptfs,wpa_supplicant,andthe keystore.
The TOE ensuresthatplaintextkeymaterial isnotexported bynotallowingthe REKto be exported and
by ensuringthatonlyauthenticatedentitiescanrequest utilization of the REK.Furthermore,the TOE
onlyallowsthe system-level executablesaccesstoplaintextDEKvaluesneededfortheiroperation.The
TSF software (the system-level executables)protectsthose plaintextDEKvaluesinmemorybothbynot
providinganyaccessto these valuesandbyclearingthemwhennolongerneeded(in compliancewith
FCS_CKM_EXT.4).Note again thatthe TOE doesnot use the user’s biometricfingerprintto
encrypt/protectkeymaterial (andinsteadonlyreliesuponthe user’spassword).
FPT_KST_EXT.3
The TOE doesnotprovide anywayto exportplaintextDEKsorKEKs(includingall keysstoredinthe
keystore) asthe TOE chainsall KEKsto the HEK/REK.
FPT_NOT_EXT.1
Whenthe TOE encountersaself-testfailure orwhenthe TOEsoftware integrityverificationfails,the
TOE transitionstoa non-operationalmode.The usermayattempttopower-cycle the TOEtosee if the
failure conditionpersists,andif itdoespersist,the usermayattempttoboot to the recovery
mode/kernel towipe dataandperforma factoryresetinorder torecoverthe device.
FPT_STM.1
The TOE requirestime forthe Package Manager,FOTA image verifier, TLScertificate validation,
wpa_supplicant, auditsystemandkeystore applications.TheseTOEcomponentsobtaintime fromthe
TOE usingsystemAPIcalls[e.g.,time() orgettimeofday()].Anapplicationcannotmodifythe systemtime
as mobile applicationsneedthe Android“SET_TIME”permissiontodoso.Likewise,onlyaprocesswith
systemprivilegescandirectlymodifythe systemtime usingsystem-levelAPIs.The TOEusesthe Cellular
Carriertime (obtainedthroughthe Carrier’snetwork timeserver) asatrustedsource;however,the user
can alsomanuallysetthe time throughthe TOE’s userinterface.
FPT_TST_EXT.1
The TOE performsknownanswerpoweronself-tests(POST) onitscryptographicalgorithmstoensure
that theyare functioningcorrectly.The kernel itself performs knownanswertestsonitscryptographic
algorithmstoensure theyare workingcorrectlyandthe SecurityManagerservice invokesthe self-tests
of BoringSSLat start-uptoensure that those cryptographicalgorithmsare workingcorrectly.The
Chipsethardware performsapower-upself-testtoensure thatitsAES implementationisworking,as
doesthe TEE SCryptocryptographiclibrary. Shouldanyof the testsfail,the TOE will reboottosee if that
will clearthe error.
Algorithm Implemented in Description
AES encryption/
decryption
BoringSSL, SCrypto, Kernel
Crypto, Chipsethardware
Comparison of known answer to calculated valued
ECDH key agreement BoringSSL Comparison of known answer to calculated valued
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
82 of 87
Algorithm Implemented in Description
DRBG random bit
generation
BoringSSL, SCrypto, Kernel
Crypto
Comparison of known answer to calculated valued
ECDSA sign/verify BoringSSL, SCrypto Sign operation followed by verify
HMAC-SHA
BoringSSL, SCrypto, Kernel
Crypto
Comparison of known answer to calculated valued
RSA sign/verify BoringSSL, SCrypto Comparison of known answer to calculated valued
SHA hashing
BoringSSL, SCrypto, Kernel
Crypto
Comparison of known answer to calculated valued
Table 26 - Power-up Cryptographic Algorithm Self-Tests
FPT_TST_EXT.1/WLAN & FPT_TST_EXT.1/VPN
The TOE platformperformsthe previouslymentionedself-teststoensure the integrityof the WLAN
client(wpa_supplicant)andthe VPN client(libcharon.so) inadditiontothe cryptographiclibrariesused
by the clients.
FPT_TST_EXT.2(1)/FPT_TST_EXT.2(2)
The TOE ensuresasecure bootprocessinwhichthe TOE verifiesthe digital signature of the bootloader
software forthe ApplicationProcessor(usingapublickeywhose hashresidesinthe processor’sinternal
fuses) before transferringcontrol.The bootloader,inturn,verifiesthe signature of the Linux kernel
(eitherthe primaryorthe recoverykernel) itloads.
The TOE alsousesdm-verityinEIOmode toprotectthe integrityof the systempartition.Afterverifying
the digital signature of the dm-verityhashtree (usingthe same publickeythatverifiesthe kernel
image),the TOEwill rejectthe loadingof file systemblockswhere the integritydoesnotmatch,and
returnan I/O error(as if the blockwere unreadable).
FPT_TUD_EXT.1
The TOE’s userinterface providesamethodtoquerythe currentversionof the TOE software/firmware
(Androidversion,basebandversion,kernel version,buildnumber,andsecuritysoftware version)and
hardware (model andversion).Additionally,the TOEprovidesusersthe abilitytoreview the currently
installedapps(including3rd
party “built-in”applications) andtheirversion.
FPT_TUD_EXT.2
WheninCC mode,the TOE verifiesall updatestothe TOEsoftware usingapublickey(FOTA publickey)
chainingultimately tothe Secure BootPublicKey(SBPK),ahardware protectedkeywhoseSHA-256hash
residesinside the applicationprocessor(note thatwhennotinCCmode,the TOE allowsupdatestothe
TOE software throughODIN mode of the bootloader).Afterverifyinganupdate’sFOTA signature,the
TOE will theninstall those updatestothe TOE.The TOE will checka new image toensure thatthe image
isnot olderthanthe currentimage,andif so, the TOE will rejectthe new image andnotupdate the TOE
software.
The applicationprocessingverifiesthe bootloader’sauthenticityandintegrity(thustyingthe bootloader
and subsequentstagestoa hardware root of trust: the SHA-256 hash of the SBPK,whichcannotbe
reprogrammedafterthe “write-enable”fuse, hasbeenblown).
The AndroidOSon the TOE requiresthatall applicationsbearavalidsignature before Androidwill install
the application.
ALC_TSU_EXT
Samsungutilizesindustrybestpracticestoensure theirdevicesare patchedtomitigate securityflaws.
Samsungprovidesawebportal for reportingpotential securityissues
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
83 of 87
(https://security.samsungmobile.com/securityReporting.smsb)withinstructionsabouthow tosecurely
contact and communicate withSamsung.AsanAndroidOEM,alsoworks withGoogle onreported
Androidissues(http://source.android.com/source/report-bugs.html) toensure customerdevicesare
secure.
Samsungwill create updatesandpatchestoresolve reportedissuesasquicklyaspossible,atwhich
pointthe update isprovidedtothe wirelesscarriers.The deliverytime forresolvinganissue dependson
the severity,andcanbe as rapidas a few daysbefore the carrierhandoff forhighprioritycases.The
wirelesscarriersperformadditional teststoensure the updateswillnotadverselyimpacttheirnetworks
and thenplandevice rolloutsonce thattestingiscomplete.Carrierupdatesusuallytake atleasttwo
weekstoas much as twomonths(dependingonthe type andseverityof the update) tobe rolledoutto
customers.However,the Carriersalsorelease monthlyMaintenance Releasesinordertoaddress
security-critical issues,andSamsungitself maintainsasecurityblog
(http://security.samsungmobile.com) inordertodisseminateinformationdirectlytothe public.
Samsung communicates with the reporting party to inform them of the status of the reported issue.
Further information about updates is handled through the carrier release notes. Issues reported to
Google directlyare handledthroughGoogle’snotificationprocesses.
6.7 TOE Access
FTA_SSL_EXT.1
The TOE transitionstoitslockedstate eitherimmediatelyafterauserinitiatesalockbypressingthe
powerbuttonor aftera configurable periodof inactivity.Aspartof that transition,the TOE will displaya
lockscreento obscure the previouscontents;however,the TOE’slockscreenstill allowsauserto
performthe functionslistedinsection 5.1.4.20 before authenticating.However, withoutauthenticating
first, a usercannot performanyrelatedactionsbaseduponthese notifications(forexample,they
cannot respondtoemails,calendarappointmentrequests,ortextmessages) otherthanansweringan
incomingphone call.
Note that fordevicesthatsupportODE, duringpowerup,the TOE presentsthe userwith bootlock
screen,where the usercanonlymake an emergencycall orenterthe ODE password,inorderto allow
the TOE to decryptthe ODE keyto be able to accessthe data partition.Aftersuccessfullyauthenticating
at the power-uploginscreen,the TOE(whensubsequentlylocked) presentsthe userwiththe device
lockscreen.
For devicesthatsupportFBE,on powerupthe TOE bootsto the device lockscreen.Onthe first boot,
the usercan onlymake emergencycalls,receivecalls,entertheirpasswordorsee notificationsfrom
apps thatdo not require userauthentication(appsthathave requestedthe use of Device Encrypted
storage duringinstallation).
FTA_TAB.1
The TOE can be configuredtodisplayauser-specifiedmessage (maximumof 23 characters) on the lock
screen,andadditionallyanadministrator canseta lockscreenmessage usinganMDM.
FTA_WSE_EXT.1
The TOE allowsanadministratortospecify(usinganMDM) a listof wirelessnetworks(SSIDs) towhich
the usermay directthe TOE to connect.WhennotenrolledwithanMDM, the TOE allowsthe userto
control to whichwirelessnetworksthe TOEshouldconnect,butdoesnotprovide anexplicitlistof such
networks,ratherthe usermayscan for available wirelessnetwork(ordirectlyenteraspecificwireless
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
84 of 87
network),andthenconnect.Once auser hasconnectedto a wirelessnetwork,the TOEwill
automaticallyreconnecttothat networkwheninrange andthe userhas enabledthe TOE’sWi-Fi radio.
6.8 Trusted Path/Channels
FTP_ITC_EXT.1/FTP_ITC_EXT.1/WLAN
The TOE providessecured(encryptedandmutuallyauthenticated)communicationchannelsbetween
itself andothertrustedITproductsthrough the use of 802.11-2012, 802.1X, andEAP-TLS,TLS, HTTPS
and IPsec.The TOE permitsitself andapplicationstoinitiate communicationsviathe trustedchannel,
and the TOE initiatescommunicationviathe trustedchannelforconnectiontoawirelessaccesspoint.
The TOE providesaccesstoTLS and HTTPS via published APIsthatare accessible toanyapplicationthat
needsanencryptedend-to-endtrustedchannel.The TOEalsomeetsthe PP-Module forVirtual Private
Network(VPN) Clients.
6.9 Knox Workspace Container Functionality
To differentiate the functionalityprovidedspecificallybyaKnox Workspace container,thissection
enumeratesthe functionalityprovidedbythe container.
FDP_ACF_EXT.1.2
The TOE, through a combinationof Android’smulti-usercapabilitiesandSecurityEnhancements(SE) for
Android,providesthe abilityto create an isolatedcontainerwithinthe device.Withinacontainera
groupof applicationscanbe installed,andaccessto those applicationsisthenrestrictedtousage solely
withinthe container.The containerboundaryrestrictsthe abilityof sharing datasuch thatapplications
outside the containercannotsee,share orevencopydata to those inside the containerandvice versa.
Exceptionstothe boundary(suchas allowingacopyoperation) mustbe configuredbythe administrator
viapolicy.Furthermore,the containerboundarypolicycancontrol accessto hardware features,suchas
the camera or microphone,andrestrictthe abilityof applicationswithinthe containertoaccessthose
services.
FIA_AFL_EXT.1
The Knox Workspace containermaintains, inFlash,the numberof failedloginssince the lastsuccessful
login,anduponreachingthe maximumnumberof incorrectlogins,the Knox Workspace container
performsa full wipe of dataprotectedbyKnox (i.e.datainside the container).Anadministratorcan
adjustthe numberof failedlogins forthe hybridandpasswordloginmechanism fromthe defaultof ten
failedloginstoavalue betweenone and thirty throughanMDM.
FIA_UAU_EXT.4
The TOE requiresaseparate passwordorhybridauthenticationforits container,thusprotectingall
Enterprise applicationdataandsharedresource data.The usermustentereithertheirpasswordorboth
theirpasswordandbiometric(if the userhasconfiguredhybridcontainerauthenticationandenrolleda
biometric) inordertoaccessany of the Enterprise applicationdata.
FIA_UAU.5
The Knox Workspace container allowsthe userto authenticate usingapassword,ora hybridmethod
requiringbothabiometricandthe passwordat the same time.The TOE prohibitsotherauthentication
mechanisms,suchaspattern,PIN,or biometricbythemselves.
FIA_UAU.6(1)/FIA_UAU6(2)
The Knox Workspace containerrequiresthe usertoentertheirpasswordinordertounlockthe Knox
Workspace container.Additionallythe Knox Workspace containerrequiresthe usertoconfirmtheir
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
85 of 87
currentpasswordwhenaccessingthe “Knox Settings ->Knox unlockmethod”menuinthe Knox
Workspace container’s userinterface.Onlyafterenteringtheircurrentuserpasswordcanthe userthen
electtochange theirpassword.
FIA_UAU.7
The Knox Workspace container allowsthe usertoenterthe user'spasswordfromthe Knox lockscreen.
The Knox Workspace containerwill,bydefault displaythe mostrecentlyenteredcharacterof the
passwordbrieflyoruntil the userentersthe nextcharacterinthe password,atwhichpointthe Knox
Workspace containerobscuresthe characterby replacingthe characterwitha dot symbol.
FMT_MOF.1/FMT_SMF_EXT.1
The Knox Workspace containergrantsthe adminadditional controlsoverthe container beyondthose
available tothe device asa whole.The primaryadditional control isoversharingdatatoand from the
container.
The control overthe camera andmicrophone withinthe Knox Workspace containeronlyaffectsaccess
to those resourcesinsidethe container,notoutsidethe container.If eitherof these isdisabledoutside
the containerthentheywill notbe available withinthe container,evenif theyare enabled.
In general the managementfunctionsforthe Knox Workspace containerare the same as those of the
device asa whole.Specificdifferencesof the impactof a Knox Workspace containerfunctionare noted
inTable 8 - SecurityManagementFunctions.
FTA_SSL_EXT.1
The Knox Workspace containertransitionstoitslockedstate eitherimmediatelyaftera userinitiatesa
lockby pressingthe containerlock button fromthe notificationbaror aftera configurable periodof
inactivity,andaspart of thattransition,the Knox Workspace containerwilldisplayalockscreento
obscure the previouscontents.Whenthe Knox Workspace containerislocked,itcanstill display
calendarappointments andothernotificationsallowedbythe administratortobe shownoutside the
container(inthe notificationarea). However, withoutauthenticatingfirst tothe Knox Workspace
container,auser cannotperformanyrelatedactionsbaseduponthese containernotifications(they
cannot respondtoemails,calendarappointments,ortextmessages).
The Knox Workspace containertimeoutisindependentof the TOE timeoutandas suchcan be setto
differentvalues.
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
86 of 87
7 TSF Inventory
Belowisa listof user-mode TSFbinariesandlibraries.Allare builtwiththe -fstack-protectoroptionset.
For eachbinary/library,the name,pathandsecurityfunctionisprovided.
Name Path Security Function
app_process system/bin APP
charon system/bin VPN
dalvikvm system/bin VM
gatekeeper.mdfpp.so system/vendor/lib64/hw Keystore/Key Mgmt
gatekeeperd system/bin Keystore/Key Mgmt
icd system/vendor/bin Integrity
keystore system/bin Keystore
keystore.mdfpp.so system/vendor/lib64/hw Keystore
libcharon.so system/lib64 VPN
libcrypto.so
system/lib,system/lib64,
system/lib/vndk-28/,
system/lib64/vndk-28,
system/vendor/lib64/vndk
Crypto
libjavacrypto.so system/lib,system/lib64 Crypto JNI
libkeymaster_helper.so system/lib64 Keystore/Key Mgmt
libkeymaster_mdfpp.so system/vendor/lib64 Keystore/Key Mgmt
libkeymaster2_mdfpp.so system/vendor/lib64 Keystore/Key Mgmt
libkeystore_binder.so system/lib,system/lib64 Keystore
libkeyutils.so system/lib64 DAR
libknox_km.so system/lib,system/lib64 DAR
libMcClient.so
system/vendor/lib,
system/vendor/lib64
TrustZone access (for
U devices)
libMcRegistry.so
system/vendor/lib,
system/vendor/lib64
TrustZone access (for
U devices)
libmdf.so
system/lib,system/lib64,
system/vendor/lib,
system/vendor/lib64
CCMode
libmdfpp_req.so system/lib,system/lib64 CCMode
libQSEEComAPI.so
system/lib,system/lib64,
system/vendor/lib,
system/vendor/lib64
TrustZone Daemon
libsdp_crypto.so system/lib,system/lib64 DAR
libsdp_kekm.so system/lib,system/lib64 DAR
libsdp_sdk.so system/lib,system/lib64 DAR
libsec_ode_keymanager.so system/lib64 DAR
libsec_ode_keymaster.so system/lib64 DAR
libsec_ode_pbkdf.so system/lib64 DAR
libsec_ode_sdcardencryption.so system/lib64 DAR
libsecure_storage.so
system/vendor/lib,
system/vendor/lib64
DAR
libsecure_storage_jni.so system/lib,system/lib64 DAR
libsoftkeymasterdevice.so system/lib,system/lib64 Keystore/Key Mgmt
Samsung Electronics Co., Ltd.Samsung Galaxy Devices onAndroid9
(MDFPP31/WLANCEP10/VPNC21) Security Target
Version: 0.4
Date: 2019/07/19
87 of 87
Name Path Security Function
libssl.so
system/lib,system/lib64,
system/lib/vndk-28/,
system/lib64/vndk-28,
system/vendor/lib64/vndk
Crypto
libstrongswan.so system/lib64/ VPN
macloader system/vendor/bin/hw WLAN
mcDriverDaemon system/vendor/bin TrustZone Daemon
mfgloader system/vendor/bin/hw WLAN
qseecomd system/vendor/bin DAR
sdp_cryptod system/bin DAR
secure_storage_daemon system/vendor/bin FOTA
time_daemon system/vendor/bin Time
vold system/bin DAR
wlandutservice system/bin WLAN
wpa_supplicant system/vendor/bin/hw WLAN
Table 27 - TSF Files Inventory