Hikvision Network Camera Series Security Target Version 3.0 Document history Version Date Comment Author 0.5 2018-02-07 First draft FGOM, XCAS 0.6 2018-02-08 Added out of the scope services Update according to Hikvision’s comments Management functions added XCAS 1.0 2018-03-13 First release FGOM, XCAS 1.1 2018-04-05 Addressed the evaluator EORs FGOM 1.2 2018-04-10 SDK removed ISAPI added XCAS 2.0 2018-07-16 Updated guidance documentation versions Updated TOE firmware/software versions FGOM 3.0 2018-08-02 Updated Guidance version and models features Hikvision Distribution list  Hikvision  SERTIT  Brightsight Contents 1 Security Target Introduction...................................................................................... 6 Security Target Reference............................................................................................ 6 TOE Reference ............................................................................................................. 6 TOE Overview............................................................................................................... 6 1.3.1 TOE Type...................................................................................................................... 6 1.3.2 TOE Usage and Major Security Features..................................................................... 7 1.3.3 Non-TOE Hardware/Software/Firmware....................................................................... 8 TOE Description............................................................................................................ 8 1.4.1 Physical Scope ............................................................................................................. 8 1.4.1.1 List of TOE models ....................................................................................................... 8 1.4.2 Logical Scope ............................................................................................................... 9 1.4.2.1 Security Management ................................................................................................... 9 1.4.2.2 User Identification and Authentication .......................................................................... 9 1.4.2.3 Trusted path/channel .................................................................................................. 10 1.4.2.4 Audit Logs ................................................................................................................... 10 1.4.2.5 Protection of the TSF .................................................................................................. 10 1.4.2.6 Cryptographic Support ................................................................................................ 10 1.4.2.7 TOE Access ................................................................................................................ 10 1.4.2.8 Trusted Firmware Updates ......................................................................................... 10 1.4.2.9 Excluded functionality ................................................................................................. 10 2 Conformance claims................................................................................................. 11 CC Conformance Claim .............................................................................................. 11 Package Claim............................................................................................................ 11 Conformance Rationale .............................................................................................. 11 3 Security Problem Definition..................................................................................... 12 Assumptions................................................................................................................ 12 Threats........................................................................................................................ 12 Organisational Security Policies ................................................................................. 13 4 Security Objectives................................................................................................... 14 Security Objectives for the TOE.................................................................................. 14 Security Objectives for the Operational Environment................................................. 14 5 Extended Component Definition ............................................................................. 15 Definition of the family FPT_TFU................................................................................ 15 6 Security Functional Requirements ......................................................................... 16 Security Management ................................................................................................. 16 6.1.1 FMT_SMR.1 Security roles......................................................................................... 16 6.1.2 FMT_SMF.1 Specification of Management Functions................................................ 16 6.1.3 FMT_MOF.1 Management of security functions behaviour........................................ 16 User Identification and Authentication ........................................................................ 16 6.2.1 FIA_AFL.1 Authentication failure handling ................................................................. 16 6.2.2 FIA_SOS.1 Verification of secrets .............................................................................. 17 6.2.3 FIA_UAU.1 Timing of authentication .......................................................................... 17 6.2.4 FIA_UID.1 Timing of identification .............................................................................. 17 Trusted path/channels ................................................................................................ 17 6.3.1 FTP_TRP.1 Trusted path............................................................................................ 17 Audit Logs ................................................................................................................... 18 6.4.1 FAU_GEN.1 Audit data generation............................................................................. 18 6.4.2 FAU_SAR.1 Audit review............................................................................................ 18 Protection of the TSF .................................................................................................. 19 6.5.1 FPT_STM.1 Reliable time stamps .............................................................................. 19 6.5.2 FDP_DAU.1 Basic Data Authentication...................................................................... 19 Cryptographic support................................................................................................. 19 6.6.1 AES Data Encryption/Decryption................................................................................ 19 6.6.1.1 FCS_COP.1/AES Cryptographic operation (AES Data Encryption/Decryption) ........ 19 6.6.1.2 FCS_CKM.1/AES Cryptographic key generation ....................................................... 19 6.6.1.3 FCS_CKM.1/AES_TLS Cryptographic key generation (for TLS) ............................... 20 6.6.1.4 FCS_CKM.4/AES Cryptographic key destruction....................................................... 20 6.6.2 Hash Algorithm ........................................................................................................... 20 6.6.2.1 FCS_COP.1/Hash Cryptographic operation (Hash Algorithm)................................... 20 6.6.3 Signature Generation and Verification........................................................................ 20 6.6.3.1 FCS_COP.1/Sign Cryptographic operation (Signature Generation and Verification) 20 6.6.3.2 FCS_CKM.1/Sign Cryptographic key generation ....................................................... 20 6.6.3.3 FCS_CKM.4/Sign Cryptographic key destruction....................................................... 21 6.6.4 HMAC.......................................................................................................................... 21 6.6.4.1 FCS_COP.1/HMAC Cryptographic operation (Keyed Hash Algorithm) ..................... 21 6.6.4.2 FCS_CKM.1/HMAC Cryptographic key generation.................................................... 21 6.6.4.3 FCS_CKM.4/HMAC Cryptographic key destruction ................................................... 21 TOE Access ................................................................................................................ 21 6.7.1 FTA_MCS.1 Basic limitation on multiple concurrent sessions ................................... 21 6.7.2 FTA_SSL.4 User-initiated termination ........................................................................ 22 Trusted Firmware Updates ......................................................................................... 22 6.8.1 FPT_TFU.1 Trusted Firmware Updates. .................................................................... 22 7 Security Assurance Requirements ......................................................................... 23 8 TOE Summary Specification.................................................................................... 24 Security Management ................................................................................................. 24 User Identification and Authentication ........................................................................ 24 Trusted path/channels ................................................................................................ 24 Audit Logs ................................................................................................................... 24 Protection of the TSF .................................................................................................. 24 Cryptographic support................................................................................................. 25 TOE Access ................................................................................................................ 25 Trusted Firmware Updates ......................................................................................... 25 9 Rationales.................................................................................................................. 26 Security Objectives Rationale..................................................................................... 26 9.1.1 Threats and Assumptions to Security Objectives Mapping ........................................ 26 9.1.2 Assumptions to security objectives rationale .............................................................. 26 9.1.3 Threats to security objectives rationale ...................................................................... 27 Security Requirements Rationale ............................................................................... 27 Dependency Rationale................................................................................................ 28 10 Abbreviations and glossary..................................................................................... 29 11 References................................................................................................................. 30 1 Security Target Introduction Security Target Reference ST Title Hikvision Network Camera Series ST Version See Document History ST Date See Document History Author Hangzhou Hikvision Digital Technology Co.,Ltd. No.555 Qianmo Road, Binjiang District, Hangzhou 310052, China Table 1 Security Target reference TOE Reference TOE Name Hikvision Network Camera Series* TOE Version The TOE version is composed of the camera model, firmware version and firmware release date. Refer to Table 4 TOE series and models for details. TOE Identification The TOE unique identifier is composed of the camera model, firmware version and firmware release date. Refer to Table 4 TOE series and models for details. TOE Type Network Camera Table 2 TOE reference * The TOE name encompass all the camera models as listed in Table 4. TOE Overview 1.3.1 TOE Type The Target Of Evaluation (TOE) is a Network Camera developed by Hikvision, and will hereafter be referred to as the TOE throughout this document. The TOE is a Network camera which comprises a hardware board and a specific firmware for the hardware. The TOE provides the following functionality:  Management interface.  Video over IP. The TOE consists of two series of Network cameras: DS-2CD3 and DS-2CD5. The following list details the models in scope for each family:  DS-2CD3 series: DS-2CD3025G0-I, DS-2CD3125G0-IS, DS-2CD3325G0-I, DS-2CD3T25G0-I, DS-2CD3525G0-IS, DS-2CD3625G0-IZS, DS-2CD3725G0-IZS, DS-2CD3H25G0-IZS, DS- 2CD3045G0-I, DS-2CD3145G0-IS, DS-2CD3345G0-I, DS-2CD3T45G0-I, DS-2CD3545G0-IS, DS- 2CD3645G0-IZS, DS-2CD3745G0-IZS, DS-2CD3H45G0-IZS, DS-2CD3085G0-I, DS- 2CD3185G0-IS, DS-2CD3385G0-I, DS-2CD3T85G0-I, DS-2CD3685G0-IZS, DS-2CD3785G0-IZS, DS-2CD3H85G0-IZS.  DS-2CD5 series: DS-2CD5026G0-AP, DS-2CD5046G0-AP, DS-2CD5085G0-AP, DS- 2CD5126G0-IZS, DS-2CD5146G0-IZS, DS-2CD5185G0-IZS, DS-2CD5A26G0-IZHS, DS- 2CD5A46G0-IZHS, DS-2CD5A85G0-IZHS, DS-2CD5526G0-IZHS, DS-2CD5546G0-IZHS, DS- 2CD5585G0-IZHS. 1.3.2 TOE Usage and Major Security Features The environment consists of a LAN network which is totally isolated from other networks (e.g. other LANs or Internet). The TOE network may contain the following components: one or multiple TOEs, video recording devices (such as NVR) and management computers via ISAPI. Figure 1 illustrates the environment where the TOE is intended to be used: Web HTTPS RTSP NVR RTSP/ ISAPI Over HTTPS ISAPI Over HTTPS Network Client/Platform Figure 1 TOE usage scenario. The usage scenarios in scope of the evaluation are:  TOE’s management interface being accessed from a browser or a client/platform software using ISAPI over HTTPS. ISAPI is an HTTP-based application programming interface that enables the TOE to communicate with IP media devices. Web application and client/platform programs must implement this API.  Video data distribution to a network recording device or to a web browser using the following the RTSP protocol. The TOE provides the following major security features:  Security management.  User identification and authentication.  Trusted path.  Audit logs.  Protection of the TSF.  Cryptographic support.  TOE access.  Trusted firmware updates. The TOE does not provide confidentiality protection of the video data when distributing it to external entities through the TOE network. The TOE also provide additional features corresponding to a Network Camera TOE type. These features are considered only functional features, therefore they are not security related and not part of the evaluation scope. The supported features include (among others, and dependant on the TOE model):  Image processing options such as face detection, intrusion detection, unattended baggage detection, privacy mask, etc.  Support for different video resolutions and frame rates, image settings (saturation, brightness, contrast…) and multiple simultaneous video streams.  Support for multiple video data encoding and compression standards. 1.3.3 Non-TOE Hardware/Software/Firmware As illustrated in Figure 1, the TOE network may contain the following components: the TOE (one or multiple), video recording devices (e.g. NVR) and management devices via ISAPI over HTTPS. Component Required Scope Description Management computer with a web browser Mandatory No General purpose computer that is used to manage the TOE using a web interface implementing ISAPI over HTTPS and to receive video data through the RTSP protocol. Network Video Recorder (NVR) Optional No Physical device used to record and store video. The video is received via RTSP protocol. Client/Platform Optional No General purpose computer which implements a software solution to record and store video from the TOE and/or manage the same TOE through ISAPI over HTTPS. Table 3 Components of the environment TOE Description 1.4.1 Physical Scope 1.4.1.1 List of TOE models The TOE is provided in the following format: a network camera hardware (different for each camera model), a firmware binary image file and the user guidance documentation. The TOE consists of 2 different product series, each series containing different hardware models integrating the same firmware/software versions for the whole series. The full list of models is provided below: Series Models Firmware/Software Interfaces DS-2CD3 DS-2CD3025G0-I Firmware V5.5.60 build 180514 Web version V4.0.51 build 180425 Encoding version V7.3 build 180510 Plugin version V3.0.6.43 DC12V, SD, RJ45 DS-2CD3125G0-IS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3325G0-I DC12V, SD, RJ45 DS-2CD3T25G0-I DC12V, SD, RJ45 DS-2CD3525G0-IS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3625G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3725G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3H25G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3045G0-I DC12V, SD, RJ45 DS-2CD3145G0-IS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3345G0-I DC12V, SD, RJ45 DS-2CD3T45G0-I DC12V, SD, RJ45 DS-2CD3545G0-IS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3645G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3745G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3H45G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3085G0-I DC12V, SD, RJ45 DS-2CD3185G0-IS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3385G0-I DC12V, SD, RJ45 DS-2CD3T85G0-I DC12V, SD, RJ45 DS-2CD3685G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3785G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD3H85G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5 DS-2CD5026G0-AP Firmware V5.5.60 build 180514 Web version V4.0.1 build 180502 Encoding version V7.3 build 180510 Plugin version V3.0.6.38 DC12V, SD, RJ45, RS485, audio 1in 1out, alarm 2in 2out DS-2CD5046G0-AP DC12V, SD, RJ45, RS485, audio 1in 1out, alarm 2in 2out DS-2CD5085G0-AP DC12V, SD, RJ45, RS485, audio 1in 1out, alarm 2in 2out DS-2CD5126G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5146G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5185G0-IZS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5A26G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 2in 2out DS-2CD5A46G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 2in 2out DS-2CD5A85G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 2in 2out DS-2CD5526G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5546G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out DS-2CD5585G0-IZHS DC12V, SD, RJ45, audio 1in 1out, alarm 1in 1out Table 4 TOE series and models Type Name Version Security Guidance Hikvision Network Camera Series Security Guidance Version 0.7 User Manual Hikvision Network Camera User Manual UD09650B ISAPI specification Hikvision IP Surveillance API, Image Service Specification v2.1 rev 1 Hikvision IP Surveillance API, PTZ Service Specification v2.2 rev 1 Hikvision IP Surveillance API, (RaCM Part) User Guide v2.0 rev 1 Hikvision IP Surveillance API User Guide v2.2 rev 1 Table 5 Guidance documentation The delivery of the TOE hardware (the camera itself) to customers is performed through a courier company. The camera firmware and user guidance is available to the TOE users through Hikvision’s web site. 1.4.2 Logical Scope This section outlines the logical boundaries of the security functionality of the TOE. 1.4.2.1 Security Management The TOE maintains three different roles which are assign to each users. Allowed management functions are different for each role. 1.4.2.2 User Identification and Authentication The TOE management can be done either using a computer with a web browser supporting HTTPS or by a software platform implementing the ISAPI. In both cases the access to the TOE is protected by a user/password authentication. The access to the management functions implements security controls to detect unsuccessful authentication attempts and insufficient password complexity and length. In case of reaching 7 (for the Administrator) or 5 (for the Operator and User) consecutive unsuccessful attempts, the TOE blocks the IP address from which the user is trying to connect. 1.4.2.3 Trusted path/channel A trusted path implemented with HTTPS communication shall be established before accessing the TOE management functionality. 1.4.2.4 Audit Logs The TOE has the capability to generate audit records. TOE administrators have the ability to read the logs after establishing the trusted path and successfully log in. 1.4.2.5 Protection of the TSF The TOE provides reliable time stamps. 1.4.2.6 Cryptographic Support The TOE provides cryptographic support for specific functionality:  HTTPS secure communications to access the management functionality of the TOE.  RTSP protocol authentication.  RSA signature verification to verify the firmware.  Video integrity watermarking. 1.4.2.7 TOE Access The TOE provides the capability to restrict the maximum number of concurrent session for a same user through the management interface. It also implements a method to terminate an open session by an action of the user. 1.4.2.8 Trusted Firmware Updates The trusted firmware update functionality is implemented and enforced using signature verification of the signed firmware. 1.4.2.9 Excluded functionality Following functionality is not included within the scope of the evaluation and shall therefore be disabled. Services Rationale NTP Services and functionalities are disabled in the evaluated configuration. HTTP RS-232/RS-485 DDNS PPPoE UPnP SNMP (v1, v2 and v3) FTP E-mail Platform access Table 6 Disabled services and functionality 2 Conformance claims CC Conformance Claim The TOE and ST claim conformance to the CC Version 3.1 revision 5 [2] [3]. The ST claim conformance to CC Part 2 extended and CC Part 3 conformant. Package Claim The Security Target claims conformance to assurance package EAL2 augmented by ALC_FLR.2. Conformance Rationale No conformance is claimed to any Protection Profile. 3 Security Problem Definition This chapter identifies the following:  Significant assumptions about the TOE’s operational environment.  Threats that must be countered by the TOE or its environment This document identifies assumptions as A.assumption with “assumption” specifying a unique name. Threats are identified as T.threat with “threat” specifying a unique name. Assumptions The specific conditions listed in the following subsections are assumed to exist in the TOE’s environment. These assumptions include both practical realities in the development of the TOE security requirements and the essential environmental conditions on the use of the TOE. Assumption Definition A.TRUSTED_USERS The administrator of the TOE is a trusted individual which must correctly configure and install the TOE in its operational environment by following the guidance documentation. The users of the TOE are considered trusted individuals which will not carry out any malicious action trying to compromise the availability of the TOE. A.TRUSTED_NETWORK_SYSTEMS Attackers have no chance to connect any malicious devices into the local network of the TOE. Table 7 Assumptions Threats The following table lists the threats addressed by the TOE and its environment. The assumed level of expertise of the attacker for all the threats identified below is Basic. Threat Definition T.UNAUTHORISED_ACCESS Threat agents may try to gain access to TOE functionality without having the required permission. This threat includes:  Bypassing user authentication  Access to functionality without permissions,  Administrator impersonation,  Operation replay. Attackers may take advantage of poorly implemented security measures like authentication, cookie management, design of the communications, etc. By attacking this functionality it could be possible to execute malicious operations without having the proper privileges. T.TRANSMISSION_DISCLOSURE Threat agents may be able to obtain credential of valid TOE users during the communication between the same TOE and the other device (e.g. management computer). Weak cryptography implementation like small key sizes or the usage of deprecated algorithms and protocols may allow an attacker to sniff communications, recover credentials or manipulate the traffic. Note that this threat is applicable only for the management interfaces: ISAPI. T.VIDEO_MANIPULATION Threat agents may try to modify the integrity of the video data sent to the recording devices (NVR). An attacker may try to manipulate video data by:  A man-in-the middle (MITM) attack intercepting the video data and modifying the content partially or totally.  Circumventing the integrity mechanisms of the video data transmission. Successful attacks may allow attackers to manipulate the video image without being detected by the system. Threat Definition T.CAMERA_UNAVAILABLE Threat agents may try to subvert the availability of the TOE An inadequate protection against Denial of Service (DOS) attacks or a badly chosen physical protection may allow an attacker to force the interruption of the video data transmission. T.UPDATE_COMPROMISE Threat agents may attempt to provide a compromised update of the software or firmware which undermines the security functionality of the device. Non-validated updates or updates validated using non-secure or weak cryptography leave the update firmware vulnerable to alteration. Table 8 Threats Organisational Security Policies There are no Organizational Security Policies identified for this TOE. 4 Security Objectives Security Objectives for the TOE Objective Definition O.USER_AUTHENTICATION The TOE provides authentication mechanisms for users, of which there are 3 types: Administrator, Operator and User. O.USER_AUTHORISATION The TOE manages different access control to operations for different user roles. O.USER_MANAGEMENT The TOE provides management capabilities to the Administrator role for adding/removing users into the system (Operator and User roles) and to configure the access permissions to the TOE functionalities. O.AUDIT_LOGS The TOE supports logging of events and alarms. O.VIDEO_INTEGRITY The TOE provides means to ensure the integrity of the video data generated. O.FIRMWARE_LOAD_INTEGRITY The firmware image during firmware loading is verified by the TOE in terms of integrity and authenticity, to ensure that only valid firmware updates are accepted. O.TRUSTED_PATH The TOE provides the capacity to establish a trusted path before accessing the management functionality Table 9 Objectives for the TOE Security Objectives for the Operational Environment Objective Definition OE.TRUSTED_USERS The administrator of the TOE is a trusted individual which will correctly configure and install the TOE in its operational environment by following the guidance documentation. The users of the TOE are trusted individuals that will not perform any malicious action trying to compromise the availability of the TOE. OE.TRUSTED_NETWORK_SYSTEMS Attackers have no chance to connect any malicious devices into the local network of the TOE. OE.TOE_AVAILABILITY The operational environment shall protect the TOE against internal attacks trying to disrupt the availability. Table 10 Objectives for the operational environment 5 Extended Component Definition Definition of the family FPT_TFU Family Behaviour Components in this family address the requirements for the verification of the integrity and authenticity of the TOE firmware before updating. Component levelling Management: FPT_TFU.1 There are no management activities foreseen. Audit: FPT_TFU.1 There are no actions defined to be auditable. FPT_TFU.1 Trusted Firmware Updates. Hierarchical to: No other components. Dependencies: FCS_COP.1 Cryptographic operation FPT_TFU.1.1 The TSF shall provide [assignment: authorised users] the ability to query the currently executing version of the TOE firmware. FPT_TFU.1.2 The TSF shall provide [assignment: authorised users] the ability to manually initiate updates to the TOE firmware and [selection: support automatic checking for updates, support automatic updates, no other update mechanism]. FPT_TFU.1.3 The TSF shall provide means to authenticate firmware updates to the TOE using a [assignment: digital signature mechanism, published hash, other mechanisms] prior to accepting and installing those updates. FPT_TFU.1.4 The TSF shall provide means to verify the integrity of firmware images to the TOE using a [assignment: hashing algorithm, other mechanisms] prior to accepting and installing those updates. FPT_TFU Trusted Firmware Update 1 6 Security Functional Requirements Notes:  Selections and assignments have been underlined.  Various refinements have been made in the requirements (in bold).  Iterations have been indicated by adding a “/ITERATION” to the SFR and by adding a part to the requirement name (in brackets). Security Management 6.1.1 FMT_SMR.1 Security roles Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FMT_SMR.1.1 The TSF shall maintain the roles Administrator, Operator and User. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.1.2 FMT_SMF.1 Specification of Management Functions Hierarchical to: No other components. Dependencies: No dependencies. FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: 1. Creation/deletion of Operators and Users; 2. Configuration of credentials and access permissions of existing Operators and Users; 3. Trusted path certificate management; 4. Initiate the firmware update operation. 6.1.3 FMT_MOF.1 Management of security functions behaviour Hierarchical to: No other components. Dependencies: FMT_SMR.1 Security roles FMT_SMF.1 Specification of Management Functions FMT_MOF.1.1 The TSF shall restrict the ability to modify the behaviour of the functions defined in FMT_SMF.1 to the Administrator. User Identification and Authentication 6.2.1 FIA_AFL.1 Authentication failure handling Hierarchical to: No other components. Dependencies: FIA_UAU.1 Timing of authentication FIA_AFL.1.1 The TSF shall detect when 7 (for the Administrator role) or 5 (for the Operator and User roles) unsuccessful authentication attempts occur related to user authentication through all the interfaces. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall discard any authentication attempts originating from the connecting IP address for 30 minutes. Application note: the interfaces include only the ISAPI interface implementing the protocols HTTPS and RTSP. If the TOE is powered off and back on, the blocking of the IP address is reverted; however, for an attacker to exploit this scenario he would need to have physical access to the TOE, which is assumed not possible. 6.2.2 FIA_SOS.1 Verification of secrets Hierarchical to: No other components. Dependencies: No dependencies. FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet the following: 1. Passwords have a minimum length of 8 characters; 2. Passwords have a maximum length of 16 characters; 3. Passwords contain at least 2 of the following types of characters: lower case, upper case, numbers and special characters. 6.2.3 FIA_UAU.1 Timing of authentication Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FIA_UAU.1.1 The TSF shall allow the establishment of the trusted path (as defined in FTP_TRP.1) on behalf of the user to be performed before the user is authenticated. FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.2.4 FIA_UID.1 Timing of identification Hierarchical to: No other components. Dependencies: No dependencies. FIA_UID.1.1 The TSF shall allow the establishment of the trusted path (as defined in FTP_TRP.1) on behalf of the user to be performed before the user is identified. FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Trusted path/channels 6.3.1 FTP_TRP.1 Trusted path Hierarchical to: No other components. Dependencies: No dependencies. FTP_TRP.1.1 The TSF shall provide a communication path between itself and remote users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification, disclosure. FTP_TRP.1.2 The TSF shall permit remote users to initiate communication via the trusted path. FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial user authentication through the ISAPI interface, and all subsequent operations performed on those interfaces after the user has been authenticated. Audit Logs 6.4.1 FAU_GEN.1 Audit data generation Hierarchical to: No other components. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) Failed user authentication attempts; d) Login/logout of users; e) Creation/deletion of users and configuration of access permissions; f) Initiation of firmware update operations. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, none. 6.4.2 FAU_SAR.1 Audit review Hierarchical to: No other components. Dependencies: FAU_GEN.1 Audit data generation FAU_SAR.1.1 The TSF shall provide the Administrator, Operator and User roles with the capability to read all the auditable events as defined in FAU_GEN.1 from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. Protection of the TSF 6.5.1 FPT_STM.1 Reliable time stamps Hierarchical to: No other components. Dependencies: No dependencies FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.5.2 FDP_DAU.1 Basic Data Authentication Hierarchical to: No other components. Dependencies: No dependencies. FDP_DAU.1.1 The TSF shall provide a capability to generate evidence that can be used as a guarantee of the validity of the video data. FDP_DAU.1.2 The TSF shall provide external entities accessing the video data with the ability to verify evidence of the validity of the indicated information. Refinement: there are no defined subjects on the TOE which can verify the validity evidence, therefore the [assignment: list of subjects] operation of FDP_DAU.1.2 has been refined to replace “subjects” with “external entities” to correctly define which entities can perform this operation. Application note: the validity evidence of the video data is provided through the “watermarking” feature of the TOE. The watermarking data is provided together with the video data when video is requested and sent to an external entity, and it’s generated with AES using the video data and other camera data such as model, serial number, time and date. Cryptographic support 6.6.1 AES Data Encryption/Decryption 6.6.1.1 FCS_COP.1/AES Cryptographic operation (AES Data Encryption/Decryption) Hierarchical to: No other components. Dependencies: FCS_CKM.1/AES Cryptographic key generation FCS_CKM.4/AES Cryptographic key destruction FCS_COP.1.1/AES The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm AES in CBC mode and cryptographic key sizes 128 and 256 bits that meet the following: [FIPS197]. 6.6.1.2 FCS_CKM.1/AES Cryptographic key generation Hierarchical to: No other components. Dependencies: FCS_CKM.4/AES Cryptographic key destruction FCS_CKM.1.1/AES The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm random number generation and specified cryptographic key sizes 128 and 256 bits that meet the following: none. 6.6.1.3 FCS_CKM.1/AES_TLS Cryptographic key generation (for TLS) Hierarchical to: No other components. Dependencies: FCS_CKM.4/AES Cryptographic key destruction FCS_CKM.1.1/AES_TLSThe TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm TLS protocol and specified cryptographic key sizes 128 and 256 bits that meet the following: [RFC5246]. 6.6.1.4 FCS_CKM.4/AES Cryptographic key destruction Hierarchical to: No other components. Dependencies: FCS_CKM.1/AES Cryptographic key generation FCS_CKM.4.1/AES The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting the key value with zeros that meets the following: none. 6.6.2 Hash Algorithm 6.6.2.1 FCS_COP.1/Hash Cryptographic operation (Hash Algorithm) Hierarchical to: No other components. Dependencies: FCS_CKM.1/Hash Cryptographic key generation FCS_CKM.4/Hash Cryptographic key destruction FCS_COP.1.1/Hash The TSF shall perform cryptographic hashing in accordance with a specified cryptographic algorithm SHA1, SHA-256, SHA-384, SHA-512, MD5 and cryptographic key sizes none that meet the following: [FIPS 180-4], [RFC1321]. Application note: the dependencies with FCS_CKM.1 and FCS_CKM.4 are not met for Hash operations, as no cryptographic keys are required for this operation (see rationale in 9.3). 6.6.3 Signature Generation and Verification 6.6.3.1 FCS_COP.1/Sign Cryptographic operation (Signature Generation and Verification) Hierarchical to: No other components. Dependencies: FCS_CKM.1/Sign Cryptographic key generation FCS_CKM.4/Sign Cryptographic key destruction FCS_COP.1.1/Sign The TSF shall perform digital signature generation and verification in accordance with a specified cryptographic algorithm RSA with SHA1, RSA with SHA-256, RSA with SHA- 384, RSA with SHA-512 and cryptographic key sizes 1024 and 2048 bits that meet the following: [FIPS PUB 186-4]. 6.6.3.2 FCS_CKM.1/Sign Cryptographic key generation Hierarchical to: No other components. Dependencies: FCS_CKM.4/Sign Cryptographic key destruction FCS_CKM.1.1/Sign The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm RSA key generation and specified cryptographic key sizes 1024 and 2048 bits that meet the following: [FIPS PUB 186-4]. 6.6.3.3 FCS_CKM.4/Sign Cryptographic key destruction Hierarchical to: No other components. Dependencies: FCS_CKM.1/Sign Cryptographic key generation FCS_CKM.4.1/Sign The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting the key value with zeros that meets the following: none. 6.6.4 HMAC 6.6.4.1 FCS_COP.1/HMAC Cryptographic operation (Keyed Hash Algorithm) Hierarchical to: No other components. Dependencies: FCS_CKM.1/HMAC Cryptographic key generation FCS_CKM.4/HMAC Cryptographic key destruction FCS_COP.1.1/HMAC The TSF shall perform keyed-hash message authentication in accordance with a specified cryptographic algorithm HMAC-MD5, HMAC-SHA1, HMAC-SHA-256, HMAC-SHA-384 and cryptographic key sizes 128 and 256 bits that meet the following: [FIPS 198]. 6.6.4.2 FCS_CKM.1/HMAC Cryptographic key generation Hierarchical to: No other components. Dependencies: FCS_CKM.4/HMAC Cryptographic key destruction FCS_CKM.1.1/HMAC The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm key derivation function and specified cryptographic key sizes 128 and 256 bits that meet the following: [FIPS 198]. 6.6.4.3 FCS_CKM.4/HMAC Cryptographic key destruction Hierarchical to: No other components. Dependencies: FCS_CKM.1/HMAC Cryptographic key generation FCS_CKM.4.1/HMAC The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method overwriting the key value with zeros that meets the following: none. TOE Access 6.7.1 FTA_MCS.1 Basic limitation on multiple concurrent sessions Hierarchical to: No other components. Dependencies: FIA_UID.1 Timing of identification FTA_MCS.1.1 The TSF shall restrict the maximum number of concurrent sessions that belong to the same user. FTA_MCS.1.2 The TSF shall enforce, by default, a limit of 128 sessions per user. Application note: the limit of sessions is the limit of connections to the TOE for any type of user. For some of the TOE models this limit is lower. 6.7.2 FTA_SSL.4 User-initiated termination Hierarchical to: No other components. Dependencies: No dependencies FTA_SSL.4.1 The TSF shall allow user-initiated termination of the user's own interactive session. Trusted Firmware Updates 6.8.1 FPT_TFU.1 Trusted Firmware Updates. Hierarchical to: No other components. Dependencies: FCS_COP.1/Sign Cryptographic operation (Signature Generation and Verification) FPT_TFU.1.1 The TSF shall provide Administrator the ability to query the currently executing version of the TOE firmware. FPT_TFU.1.2 The TSF shall provide Administrator the ability to manually initiate updates to the TOE firmware and no other update mechanism. FPT_TFU.1.3 The TSF shall provide means to authenticate firmware updates to the TOE using a RSA2048 with SHA-512 digital signature mechanism as defined in FCS_COP.1/Sign prior to accepting and installing those updates. FPT_TFU.1.4 The TSF shall provide means to verify the integrity of firmware images to the TOE using a RSA2048 with SHA-512 digital signature mechanism as defined in FCS_COP.1/Sign prior to accepting and installing those updates. 7 Security Assurance Requirements This Security Target claims conformance to EAL2, augmented with ALC_FLR.2. This assurance level was chosen to ensure that:  The TOE has a moderate level of assurance in enforcing its security functions when instantiated in its intended environment which imposes no restrictions on assumed activity on applicable networks.  Any remaining security flaws in the TOE that are brought to the notice of the Developer will be remediated. The requirements are summarised in the following table: Assurance Class Component Component Title ADV: Development ADV_TDS.1 Basic design ADV_ARC.1 Security architecture description ADV_FSP.2 Functional specification AGD: Guidance documents AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_ Life-cycle support ALC_CMC.2 CM capabilities ALC_CMS.2 CM scope ALC_DEL.1 Delivery ALC_FLR.2 Flaw reporting procedures ASE: Security Target evaluation ASE_CCL.1 Conformance claims ASE_ECD.1 Extended components definition ASE_INT.1 ST introduction ASE_TSS.1 TOE summary specification ASE_OBJ.2 Security objectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security problem definition ATE: Tests ATE_COV.1 Coverage ATE_FUN.1 Functional tests ATE_IND.2 Independent testing AVA: Vulnerability assessment AVA_VAN.2 Vulnerability analysis Table 11 EAL2 requirements description extended with ALC_FLR 8 TOE Summary Specification Security Management FMT_SMR.1: the TOE supports the user types Administrator, Operator and User. FMT_SMF.1: the TOE supports the management functions:  Creation and deletion of Operators and Users. There is only one Administrator user, created by default;  Configuration of credentials and access permissions of existing Operators and Users;  Management of the certificate for the HTTPS trusted path;  Perform firmware update operations. FMT_MOF.1: the Administrator is the only user able to perform the management functions supported by the TOE (as defined in FMT_SMF.1). User Identification and Authentication FIA_AFL.1: the TSF allows 7 failed authentication attempts for the Administrator and 5 for the Operators and Users. When this number is reached, the IP address of the connecting user is blocked for a period of 30 minutes before being able to attempt any further login. If the TOE is powered off and back on, the blocking of the IP address is reverted; however, for an attacker to exploit this scenario he would need to have physical access to the TOE, which is assumed not possible. FIA_SOS.1: the TSF enforces that passwords have a length between 8-16 characters and include at least 2 different types of characters between lowercase, uppercase, numbers and special characters. FIA_UAU.1: users must login into the camera before being able to perform any operation. FIA_UID.1: users must login into the camera before being able to perform any operation. Trusted path/channels FTP_TRP.1: this requirement is met by the implementation of the HTTPS/TLS protocol for the ISAPI interface and the RTS^P protocol. Audit Logs FAU_GEN.1: the TSF generates audit logs by default and stores them in the SD card. The audit logs cover all the audit events as listed in this SFR, and includes details of date/time, user triggering the event and type of event. FAU_SAR.1: the TSF allows the Administrator, the Operators and Users to view the audit logs. Protection of the TSF FPT_STM.1: the camera time settings are configurable by the Administrator, and is used to provide reliable timestamps. FDP_DAU.1: the TSF provides integrity and validity evidence of the video data through the watermarking feature. The watermarking data is provided together with the video data when video is requested and sent to an external entity, and it’s generated with AES using the video data and other camera data such as model, serial number, time and date. Cryptographic support FCS_COP.1: the TSF provides cryptographic services to support the trusted path, user authentication protocols and the video watermarking feature. FCS_CKM.1: the TSF provides key generation services to support the cryptographic services. FCS_CKM.4: the TSF provides key destruction services to support the cryptographic services. TOE Access FTA_MCS.1: the TSF limits the maximum number of user connections to 128. FTA_SSL.4: the TSF allows manual logout of users on all interfaces. Trusted Firmware Updates FPT_TFU.1: the TSF allows the Administrator user to initiate firmware update operations. The firmware image is validated through RSA signature verification. 9 Rationales Security Objectives Rationale This rationale consists of three parts:  A table mapping all the threats and assumptions against security objectives  A rationale that the security objectives uphold all assumptions  A rationale that the security objectives counter all threats 9.1.1 Threats and Assumptions to Security Objectives Mapping Threats and assumptions Objectives A.TRUSTED_USERS A.TRUSTED_NETWORK_SYSTEMS T.UNAUTHORISED_ACCESS T.TRANSMISSION_DISCLOSURE T.VIDEO_MANIPULATION T.CAMERA_UNAVAILABLE T.UPDATE_COMPROMISE O.USER_AUTHENTICATION X O.USER_AUTHORISATION X O.USER_MANAGEMENT X O.AUDIT_LOGS X X X O.TRUSTED_PATH X O.VIDEO_INTEGRITY X O.FIRMWARE_LOAD_INTEGRITY X OE.TRUSTED_USERS X OE.TRUSTED_NETWORK_SYSTEMS X OE.TOE_AVAILABILITY X Table 12 Threats and Assumptions to Security Objectives Mapping 9.1.2 Assumptions to security objectives rationale Assumption Rationale A.TRUSTED_USERS OE.TRUSTED_USERS makes sure that the users with access to the TOE are trusted and that the administrator will correctly configure and install the TOE in its operational environment by following the guidance documentation. A.TRUSTED_NETWORK_SYSTEMS OE.TRUSTED_NETWORK_SYSTEMS addresses the assumption that attackers have no chance to connect any malicious devices into the local network of the TOE. Table 13 Assumptions to security objectives rationale 9.1.3 Threats to security objectives rationale Threat Rationale T.UNAUTHORISED_ACCESS O.USER_AUTHENTICATION mitigates the threat requiring that all users have a mechanism to authenticate to the TOE to get access to the management interface. This objective is completed with O.USER_AUTHORISATION which requires the TOE to allow different operations depending on the role assigned to the user being authenticated. In addition, O.USER_MANAGEMENT assigns to the administrator the privileges of adding and removing users as well as the configuration of their privileges. O.AUDIT_LOGS contributes to the mitigation of the threat by generating and audit record for each user access event. T.TRANSMISSION_DISCLOSURE O.TRUSTED_PATH mitigates this threat by requiring a trusted path before performing any management action in order to protect users credentials. T.VIDEO_MANIPULATION O.VIDEO_INTEGRITY mitigates this threat by implementing an integrity protection mechanisms of the video data transmitted. T.CAMERA_UNAVAILABLE OE.TOE_AVAILABILITY mitigates this threat ensuring that the operational environment protects the TOE against internal attacks aiming to disrupt the availability of the TOE. In addition, O.AUDIT_LOGS also contributes to the mitigation of the threat by generating and audit record each time the video data is unavailable. T.UPDATE_COMPROMISE O.FIRMWARE_LOAD_INTEGRITY mitigates this threat making sure that the TOE verifies the signature of the loaded firmware before installing it. O.AUDIT_LOGS also contributes to the mitigation of the threat by generating and audit record each time there is a firmware loading attempt either successful or unsuccessful. Table 14 Threats to security objectives rationale Security Requirements Rationale This rationale shows that all security objectives for the TOE are upheld by the security functional requirements. Objective Rationale O.USER_AUTHENTICATION This objective is met by FIA_AFL.1, FIA_SOS.1, FIA_UAU.1, FIA_UID.1, FTA_MCS.1 and FTA_SSL.4. O.USER_AUTHORISATION This objective is met by FIA_AFL.1, FIA_SOS.1, FIA_UAU.1, FIA_UID.1, FTA_MCS.1 and FTA_SSL.4. O.USER_MANAGEMENT This objective is met by FMT_SMR.1, FMT_SMF.1 and FMT_MOF.1. O.AUDIT_LOGS This objective is met by FAU_GEN.1, FAU_SAR.1 and FPT_STM.1. O.TRUSTED_PATH This objective is met by FTP_TRP.1, FCS_COP.1/AES, FCS_CKM.1/AES_TLS, FCS_CKM.1/AES, FCS_CKM.4/AES, FCS_COP.1/Sign, FCS_CKM.1/Sign, FCS_CKM.4/Sign, FCS_COP.1/Hash, FCS_COP.1/HMAC, FCS_CKM.1/HMAC and FCS_CKM.4/HMAC. O.VIDEO_INTEGRITY This objective is met by FDP_DAU.1, FCS_COP.1/AES, FCS_CKM.1/AES and FCS_CKM.4/AES. O.FIRMWARE_LOAD_INTEGRITY This objective is met by FPT_TFU.1, FCS_COP.1/Sign, FCS_CKM.1/Sign, FCS_CKM.4/Sign and FCS_COP.1/Hash. Table 15 SFR to security objectives rationale Dependency Rationale This rationale shows that all dependencies of all security requirements have been addressed: Requirement Dependency Rationale FMT_SMR.1 FIA_UID.1 Met by FIA_UID.1 FMT_SMF.1 None n/a FMT_MOF.1 FMT_SMR.1 and FMT_SMF.1 Met by FMT_SMR.1 and FMT_SMF.1 FIA_AFL.1 FIA_UAU.1 Met by FIA_UAU.1 FIA_SOS.1 None n/a FIA_UAU.1 FIA_UID.1 Met by FIA_UID.1 FIA_UID.1 None n/a FTP_TRP.1 None n/a FAU_GEN.1 FPT_STM.1 Met by FPT_STM.1 FAU_SAR.1 FAU_GEN.1 Met by FAU_GEN.1 FPT_STM.1 None n/a FCS_COP.1/AES FCS_CKM.1 and FCS_CKM.4 Met by FCS_CKM.1/AES and FCS_CKM.4/AES FCS_CKM.1/AES FCS_CKM.4 and FCS_COP.1 Met by FCS_CKM.4/AES and FCS_COP.1/AES FCS_CKM.1/AES_TLS FCS_CKM.4 and FCS_COP.1 Met by FCS_CKM.4/AES and FCS_COP.1/AES FCS_CKM.4/AES FCS_CKM.1 Met by FCS_CKM.1/AES FCS_COP.1/Hash FCS_CKM.1 and FCS_CKM.4 Dependencies with FCS_CKM.1 and FCS_CKM.4 are not met. Hashing operations do not require a cryptographic key, so the creation/destruction operations from FCS_CKM.1 and FCS_CKM.4 are not required. FCS_COP.1/Sign FCS_CKM.1 and FCS_CKM.4 Met by FCS_CKM.1/Sign and FCS_CKM.4/Sign FCS_CKM.1/Sign FCS_CKM.4 and FCS_COP.1 Met by FCS_CKM.4/Sign and FCS_COP.1/Sign FCS_CKM.4/Sign FCS_CKM.1 Met by FCS_CKM.1/Sign FCS_COP.1/HMAC FCS_CKM.1 and FCS_CKM.4 Met by FCS_CKM.1/HMAC and FCS_CKM.4/HMAC FCS_CKM.1/HMAC FCS_CKM.4 and FCS_COP.1 Met by FCS_CKM.4/HMAC and FCS_COP.1/HMAC FCS_CKM.4/HMAC FCS_CKM.1 Met by FCS_CKM.1/HMAC FTA_MCS.1 FIA_UID.1 Met by FIA_UID.1 FTA_SSL.4 None. n/a FDP_DAU.1 None. n/a FPT_TFU.1 FCS_COP.1 Met by FCS_COP.1/Sign Table 16 SFR dependencies rationale 10 Abbreviations and glossary [CC] Common Criteria [CIFS] Common Internet File System [DDNS] Dynamic DNS [DNS] Domain Name server [EAL] Evaluation Assurance Level [FTP] File Transfer Protocol [IP] Internet Protocol [ISAPI] IP Surveillance Application Programming Interface [LAN] Local Area Network [NFS] Network File System [NTP] Network Time Protocol [NVR] Network Video Recorder [OS] Operating System [PPPoE] Point-to-Point Protocol over Ethernet [SDK] Software Development Kit [SNMP] Simple Network Management Protocol [ST] Security Target [RTSP] Real Time Streaming Protocol [TOE] Target of Evaluation [TSF] TOE Security Functionality [UPNP] Universal Plug and Play 11 References [1] Common Criteria for Information Technology Security Evaluation. Part 1: Introduction to General Model, Version 3.1, Revision 5, April 2017. [2] Common Criteria for Information Technology Security Evaluation. Part 2: Security functional components, Version 3.1, Revision 5, April 2017. [3] Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components, Version 3.1, Revision 5, April 2017.