Ärendetyp: 6 Diarienummer: 20FMV1983-26:1 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2021-07-09 Country of origin: Sweden Försvarets materielverk Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 Issue: 1.0, 2021-Jul-09 Authorisation: Ulf Noring, Lead Certifier , CSEC Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 2 (20) Table of Contents 1 Executive Summary 3 2 Identification 5 3 Security Policy 6 3.1 I&A, administrative roles and access control 6 3.2 Audit generation and protection 6 3.3 Management 7 3.4 Secure provisioning of clients 7 3.5 Update of configuration 7 3.6 Secure communication channel (TLS) 7 3.7 Encrypted push notifications 8 3.8 Service access channel 8 3.9 Key generation and certificate management 8 3.10 Key distribution to support client data-at-rest security 8 4 Assumptions and Clarification of Scope 9 4.1 Usage Assumptions 9 4.2 Environmental Assumptions 9 4.3 Clarification of Scope 10 5 Architectural Information 11 6 Documentation 13 7 IT Product Testing 14 7.1 Developer Testing 14 7.2 Evaluator Testing 14 7.3 Penetration Testing 14 8 Evaluated Configuration 15 9 Results of the Evaluation 16 10 Evaluator Comments and Recommendations 17 11 Glossary 18 12 Bibliography 19 12.1 General 19 12.2 Documentation 19 Appendix A Scheme Versions 20 A.1 Scheme/Quality Management System 20 A.2 Scheme Notes 20 Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 3 (20) 1 Executive Summary The Target of Evaluation (TOE) is Dencrypt Server System version 5.0, build 5.0.0.122. The Dencrypt Server System consists of the following software compo- nents:  Dencrypt Certificate Manager (DCM)  Dencrypt Provisioning Server (DPS)  Dencrypt Control Center (DCC)  Dencrypt Database (DDB)  Dencrypt Communication Server (DCS)  Dencrypt Server Bridge (DSB)  Debian Linux 8  Apache, PHP, Laravel, MySQL and their dependencies The TOE is the server part of the Dencrypt Communication Solution, a VoIP and mes- saging solution for iPhone clients. The main security features of the TOE are: • Administration: ◦ Identification and authentication of administrators ◦ Administrative roles and privileges associated with those role ◦ Management functions, for managing the DCA clients and TOE itself ◦ Auditing and audit review • Secure provisioning of clients • Trusted channel to clients • Trusted channel to service access • Provisioning to end users of new configurations and central managed phone books • Key generation and certificate issuing and a certificate authority • Secure bridge to another Dencrypt Server System • Encryption of push notifications • TCP tunnelling for voice or video communication The TOE is delivered as an ISO image containing the TOE (Dencrypt developed serv- er system components, the Debian Linux operating system, the Apache server, PHP, the Laravel framework, the MySQL database, and the dependencies for these software components.) The delivery, installation and initial configuration is performed by Den- crypt employees or by personnel that have been trained to perform delivery and instal- lation on behalf of Dencrypt. Guidance is provided in two manuals: • Operational User Guide v. 5.0 • Preparative Guide v. 5.0 The TOE claims conformance to the EAL2 package of security assurance require- ments, augmented with ALC_FLR.2. It does not claim conformance to any Protection Profile (PP). Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 4 (20) Five threats, seven OSPs and eleven assumptions are specified in chapter three in the security target [ST]. The evaluation has been performed by atsec information security AB in their premises in Danderyd, Sweden. The evaluation was completed on 2021-06-22. The evaluation was conducted in accordance with the requirements of Common Criteria (CC), ver- sion. 3.1 release 5. atsec information security AB is a licensed evaluation facility for Common Criteria under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in- formation security AB is also accredited by the Swedish accreditation body according to ISO/IEC 17025 for Common Criteria. The certifier monitored the activities of the evaluator by reviewing all successive ver- sions of the evaluation reports. The certifier determined that the evaluation results confirm the security claims in the Security Target (ST) and the Common Methodology for evaluation assurance level EAL 2 augmented by ALC_FLR.2. The technical in- formation in this report is based on the Security Target [ST] and the Final Evaluation Report (FER) produced by atsec information security AB. The certification results only apply to the version of the product indicated in the cer- tificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other organ- isation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 5 (20) 2 Identification Certification Identification Certification ID CSEC2020003 Name and version of the certified IT product Dencrypt Server System 5.0, build 5.0.0.122 Security Target Identification Security Target for Dencrypt Server System version 5.0, 2021-06-11, version 0.17 EAL EAL 2 + ALC_FLR.2 Sponsor Dencrypt A/S Developer Dencrypt A/S ITSEF atsec information security AB Common Criteria version 3.1 revision 5 CEM version 3.1 revision 5 QMS version 1.25 Scheme Notes Release 18.0 Recognition Scope CCRA, SOGIS, EA/MLA Certification date 2021-07-09 Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 6 (20) 3 Security Policy The TOE has the following security functionality:  Identification & authentication, administrative roles and access control  Audit generation and protection  Management functions  Secure provisioning of clients  Update of configuration  Secure communication channel (TLS)  Encrypted push notifications  Service access channel  Key generation and certificate management  Key distribution to support client data-at-rest security For detailed information on the security functionality, see chapter 7 of the [ST]. 3.1 I&A, administrative roles and access control Administrators can access the TOE using a web interface. An HTTPS connection is established from the web browser to the web server of the TOE. Administrators have to identify and authenticate themselves using passwords before administrative access is given. Each administrator will be assigned a role, either User Admin, Company Admin, Sys- tem Admin or Service Access. Each role is associated with certain privileges and the roles are hierarchical. This means Company Admin has more privileges than User Admin, System Admin has more privileges than User Admin and Company Admin, and so on. The Service Access role has highest privilege and is intended for system maintenance and updates. The MySQL database in the DCC holds permission tables that explicitly specify which administrators can access which companies. For every request from the admin- istrator's browser, the TOE checks the role of the administrator and performs a permis- sion evaluation before serving the request. 3.2 Audit generation and protection The DCC generates a log event for all events that change the state of the server system components. In addition to server state change, the log also audits TOE login attempts (both successful and unsuccessful) and error messages from HTTPS requests to server system components. This log is stored in the MySQL database with the setting that no queries can delete or modify entries in that database table. To ensure that audit is al- ways active, there is a log cycle, where logs are overwritten after a specified period of time. For each audit event, the log records the date and time of the event, type of event, subject identity (if applicable), outcome (success or failure) of the event and additional information specific to the event type. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 7 (20) 3.3 Management The management functions available to the administrator depend on the role assigned. The TOE provides the following management functions:  Edit users, groups, departments and emergency contacts  Visualization of statistics  Browser Verification  Company Administration  Administrator Roles & Permissions  View Log  Servers, Certificates & Systems (Read)  Servers, Certificates & Systems (Modify)  Dencrypt Server Bridge management 3.4 Secure provisioning of clients Provisioning starts by the administrator adding the user to the TOE. This will trigger the creation of an invitation link which points to the web server of the Dencrypt Provi- sioning Server (DPS). The link can be encoded into a QR code which a user can scan into the client using the iPhone native camera QR scan functionality. The invitation link contains a random string of 30 characters and must be provided to the user in a secure way, i.e. the link is not disclosed during transmission to anyone else than the intended user. When accessing the link a TLS connection with server authentication is established to protect provisioning data against disclosure and modification. The link is available for a limited time and once accessed the link and the provisioning data will be removed from the DPS. 3.5 Update of configuration The TOE updates the client with new phone books whenever there is a change of users or groups in the Dencrypt Database (DDB). If the configuration of the SIP server in the TOE has changed, the clients will also be updated with new settings for the client. This is achieved by the client polling the TOE for updates. 3.6 Secure communication channel (TLS) The TOE does not initiate any outside connection with the client, but it can accept and establish a secure channel coming from the client or from the web browser of the ad- ministrator. The TOE can initiate and accept connections via the Dencrypt Server Bridge to a different instance of the TOE. The following secure channels are estab- lished: ● Secure SIP connection between client and the SIP server on the Dencrypt Commu- nication Server (DCS), which is a mutually authenticated TLS connection ● Secure HTTPS connection between client and web server on the DCS, which is a mutually authenticated TLS connection ● TLS tunnel channel between client and web server on the DCS, which provides tun- nelling of voice or video communication over TCP and TLS 1.2 ● Secure TLS connection between the TOE and another trusted Instance of the TOE, to enable sharing of phonebook data and forwarding of calls Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 8 (20) ● Secure HTTPS connection between client and web server on the Dencrypt Provi- sioning Server, which is a TLS connection with server side authentication only ● Secure HTTPS connection between web browser of the administrator and the TOE, which is a TLS connection with server side authentication only. For the Dencrypt Server Bridge, a TLS connection can be established to a separate TOE instance to enable calls between different systems. Initially, this connection is used to exchange the metadata and phonebook data to make the calls. SIP call initiali- sation and messages to users belong to a different domain are forwarded by the TOE DCS to the DCS on the other system. In this scenario the DCS can also act as a TLS client. In addition to providing the secure channel it also verifies the identity of the remote system via certificate validation. 3.7 Encrypted push notifications The TOE supports importing an encryption key from the client during client provi- sioning. The key is used for encrypting push notifications to the client, as the push no- tifications are sent via a third party vendor and not through a direct TLS channel be- tween the client and the TOE. 3.8 Service access channel The TOE supports SSH connections for remote service access. 3.9 Key generation and certificate management As part of the installation of the Dencrypt Server System, the Dencrypt Certificate Manager (DMC) generates a 4096-bit RSA key pair and obtains a certificate signed by the root CA. This certificate and the root certificate are installed on Key generation and certificate management the DCM. The DCM is thus made ready to issue certifi- cates to both clients and system servers. client users can access the functionality of the DCM via the DCS or DPS. When a new client user is created and accesses the provi- sioning link, the client will generate a local 3072-bit RSA key pair and submit a Certificate Signing Request (CSR) to the DCM via the DPS. The DCM will then sign the certificate with its own RSA private key if the supplied invite ID is valid and dis- tribute the client certificate and provisioning data to the DCA. For server certificates, each server generates by itself a 4096-bit RSA key pair, creates a CSR and sends it to the DCM. The DCM signs and returns the certificate to the serv- er. Administrators in Service Access role can renew the certificates for the DPS, DCM, DCS and DCC. 3.10 Key distribution to support client data-at-rest security The TOE provides support for data-at-rest functionality of the client by storing and providing an encrypted AES key to the client. The client generates the key to encrypt its stored files. As a measure to protect its data-at-rest in the event of compromise of its underlying hardware, it then encrypts this key and submits it to the TOE. Only the Key Encryption Key is stored locally by the client, ensuring that its storage can only be decrypted after a valid connection and authentication by the TOE. The TOE must as such import, store and distribute this key to the client. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 9 (20) 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The Security Target [ST] makes four assumptions on the usage of the TOE: A.NOEVIL It is assumed that administrators are given privileges they are authorized for, and that they are competent, non-hostile and follow all their guidance; however, they are capa- ble of error. A.REVIEW It is assumed that audit trails are regularly analysed for misuse and security incidents. A.LINK It is assumed the link, possibly encoded as a QR code, used for provisioning is provid- ed to the correct DCA user and not being disclosed to anyone else. A.USER It is assumed that the DCA users are trustworthy and trained to perform their actions in accordance with their instructions and security policies. 4.2 Environmental Assumptions The Security Target [ST] makes seven assumptions on the operational environment of the TOE: A.NETWORK It is assumed that the underlying hardware of the TOE and local network is dedicated to the TOE usage and function. A.PHYSICAL The TOE is physically protected, i.e. no unauthorised persons have physical access to the TOE and its underlying system. This includes the administrators that only can ac- cess the TOE via the local network or through a trusted VPN connection. A.TIME It is assumed that the IT environment will provide a reliable time source to the TOE and the TOE environment. A.WORKSTATION It is assumed that administrators are performing administration from computers that are well-configured, located in a secure environment and are not exposed to other us- ers or potential attackers. A.TRUSTANCHOR It is assumed that a trust anchor is provided and will be used for TLS connections by the DCAs, administrator browsers and other DSS for validation of TOE certificates when connecting to the TOE. A.FIREWALL It is assumed that the IT environment provides a firewall or other suitable means to protect the TOE from untrusted networks. A.CROSS-SYSTEM It is assumed that separate DSS which the TOE connects to via the DSB to enable cross-system functionality are trusted and operated in a secure manner. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 10 (20) 4.3 Clarification of Scope The Security Target contains five threats which have been considered during the eval- uation: T.COMMUNICATION An external attacker reads or manipulates information transmitted between the TOE and components that are outside of the trusted network. This affects both user and TSF data. T.MASQUERADE An external attacker gain read or write access to information or resources that are held by the TOE including user data, phone books, audit information or any other TSF da- ta. T.UNAUTH An administrator may by accident access data or use management functions for which they have not been authorised to, to read, modify or destroy security critical TSF data or tamper with the TSFs. T.UNDETECTED An external attacker may attempt to compromise the assets without being detected. This threat includes a threat agent causing audit records to be lost, deleted or prevent future records from being recorded by taking actions to exhaust audit storage capacity, thus masking an attacker’s actions. T.BRIDGE An external attacker could intercept or manipulate user and TSF data sent between two DSS via the DSB. The Security Target contains seven Organisational Security Policies (OSPs) which have been considered during the evaluation: OSP.MANAGE The TOE shall provide the authorized administrators with the means to manage the TSFs and the DCAs associated with the TOE installation. OSP.SERVICE The TOE shall provide the authorized secure service access to manage the TSFs and the TOE installation. OSP.ACCOUNT Administrators shall be accountable for the actions they conduct by generating and maintaining sufficient audit records for the actions. OSP.PROVISIONING The TOE must provide a secure provisioning process that can be used for any remote users without access to the secure local network. OSP.CA The TOE must be able to generate its own private-public keys and generate its own certificates as well as sign certificates for DCAs. OSP.CLIENTKEY The TOE must be able to distribute previously encrypted keys to authenticated clients on request, to support data-at-rest protection for the DCA. OSP.TUNNEL The TOE must provide a tunnelling service to enable voice or video communication to the DCA over TCP by tunnelling the connection over TLS 1.2. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 11 (20) 5 Architectural Information The TOE consists of six parts, as can be seen in the below figure: The parts are:  Dencrypt Communication Server The Dencrypt Communication Server (DCS) provides the connections and communi- cation services to the client:  SIP Server – necessary for the clients to establish voice or video communica- tion between two or more clients. Also provides routing for messaging.  Lime server – provides the key-exchange functionality to initiate secure mes- sage communication.  Tunnel server - provides a server to tunnel voice or video communication over TCP.  Dencrypt Certificate Manager Dencrypt Certificate Manager (DCM) is the central point for TLS certificates in the system. Once provisioning has taken place, all connections between the DCA and DSS use mutually authenticated TLS connections. The required TLS certifi- cates are issued by the DCM via the following procedure: The client or server generates the private/public key pair and creates a CSR. The CSR is sent to the DCM which signs the CSR if permitted. The DCM provides the certificate back to client/server for employment. All communication between the DCM and the DCA take place via the DCS, except during provisioning where it takes place via the DPS.  Dencrypt Control Center The user management is performed using the Dencrypt Control Center (DCC). The user management means creating/deleting/revoking users and groups, as well as adding and removing users from these groups. The DCC offers a web interface that is accessible using a web browser from the administrator's local machine. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 12 (20)  Dencrypt Provisioning Server The Dencrypt Provisioning Server (DPS) is used to initialise clients with user cre- dentials, DCS URL and respond to the Certificate Signing Request (CSR) sent from the client to set up its certificate. During provisioning, the client is provided with a HTTPS web link for the initialisation. The link can also be encoded into a QR code which the app can scan. The link is provided in a secure way as part of the TOE  Dencrypt Server Bridge The Dencrypt Server Bridge (DSB) introduces functionality to make Dencrypt Calls between users on two different DSS. It enables Secure Phonebook synchro- nization between systems and routing of SIP or messaging data between systems. The connection between two DSS are protected by a TLS channel. The DSB en- sure that this connection is authenticated.  Dencrypt Database The Dencrypt Database (DDB) provides the database services for the DCS. It keeps the user data and most meta data e.g. call statistics. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 13 (20) 6 Documentation The following documentation comprise the TOE guidance: PREGUIDE Preparative guide & hosting requirements Dencrypt Server System 5.0 OPGUIDE Operational User Guide Dencrypt Server System 5.0 Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 14 (20) 7 IT Product Testing 7.1 Developer Testing The developer uses both automated and manual tests. In total 198 tests were executed to test the TOE and most of them were automated. All TSF has been tested. The de- veloper has provided the results of all test cases that were performed and the source code of the automated tests. All tests were successful. 7.2 Evaluator Testing The evaluators observed when the developer ran all automated developer tests. The evaluator performed a subset of developer manual tests. Totally 186 developer tests were executed. The evaluator also examined the source code of a sample of automated developer tests to verify that they test what they claim. The evaluator further per- formed extra audit and certificate revocation tests created by the evaluator. All securi- ty functionality defined in the ST has been tested. The subset of developer tests re-run by the evaluator went successfully. All evaluator tests were also performed successful- ly. 7.3 Penetration Testing The evaluator performed TCP and UDP port scans of the TOE interfaces from the In- ternet to detect any potential attack surfaces. The evaluator also performed tests on provisioning and TLS. None of the performed penetration tests revealed any applica- ble vulnerability in the TOE. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 15 (20) 8 Evaluated Configuration The IT environment must provide the following:  Mobile devices (iPhones with iOS) where the Dencrypt Connex App is installed.  The virtual or physical amd64 or x86_64 server systems to host and run the TOE components.  Mail server to send new client user invitations.  Push server used for sending notifications to clients. For this evaluation of the cli- ent on iOS, Apple Push Notification (APN) is used.  NTP Server to provide correct time to the TOE components.  An administrative client and browser for the TOE administrator to manage the TOE.  A firewall or other suitable means to protect the TOE from untrusted networks.  Physical protection for the underlying hardware of the TOE  A physically protected local network dedicated to TOE usage and functions  A trust anchor that will be used for TLS connections by clients, administrator browsers and other DSS for validation of TOE certificates when connecting to the TOE.  A DNS server to serve DNS records from pertaining to the TOE [PREGUIDE] can be downloaded from Dencrypt's website and contains an extensive set of detailed instructions for making sure the IT environment is ready for the TOE. It is highly recommended to consult [PREGUIDE] to make sure the IT environment ful- fils the TOE IT environment requirements before purchasing the TOE. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 16 (20) 9 Results of the Evaluation The evaluators applied each work unit of the Common Methodology [CEM] within the scope of the evaluation, and concluded that the TOE meets the security objectives stated in the Security Target [ST] for an attack potential of Basic. The certifier reviewed the work of the evaluator and determined that the evaluation was conducted in accordance with the Common Criteria [CC]. The evaluators overall verdict is PASS. The verdicts for the assurance classes and components are summarised in the follow- ing table: Assurance Class Name / Assurance Family Name Short name (includ- ing component iden- tifier for assurance families) Verdict Security Target Evaluation ST Introduction Conformance claims Security Problem Definition Security objectives Extended components definition Derived security requirements TOE summary specification ASE ASE_INT.1 ASE_CCL.1 ASE_SPD.1 ASE_OBJ.2 ASE_ECD.1 ASE_REQ.2 ASE_TSS.1 PASS PASS PASS PASS PASS PASS PASS PASS Life-cycle support Use of a CM system Parts of the TOE CM Coverage Delivery procedures Flaw reporting procedures ALC ALC_CMC.2 ALC_CMS.2 ALC_DEL.1 ALC_FLR.2 PASS PASS PASS PASS PASS Development Security architecture description Security-enforcing functional specification Basic design ADV ADV_ARC.1 ADV_FSP.2 ADV_TDS.1 PASS PASS PASS PASS Guidance documents Operational user guidance Preparative procedures AGD AGD_OPE.1 AGD_PRE.1 PASS PASS PASS Tests Evidence of coverage Functional testing Independent testing - sample ATE ATE_COV.1 ATE_FUN.1 ATE_IND.2 PASS PASS PASS PASS Vulnerability Assessment Vulnerability analysis AVA AVA_VAN.2 PASS PASS Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 17 (20) 10 Evaluator Comments and Recommendations None. Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 18 (20) 11 Glossary CEM Common Methodology for Information Technology Security, document describing the methodology used in Common Cri- teria evaluations ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme ST Security Target, document containing security requirements and specifications , used as the basis of a TOE evaluation TOE Target of Evaluation DSS Dencrypt Server System DCM Dencrypt Certificate Manager DPS Dencrypt Provisioning Server DCA Dencrypt Connex Application DCC Dencrypt Control Center DDB Dencrypt Database DCS Dencrypt Communications Server DSB Dencrypt Server Bridge Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 19 (20) 12 Bibliography 12.1 General CC Combination of CCp1, CCp2, CCp3, and CEM (see below) CCp1 Common Criteria for Information Technology Security Evaluation, Part 1, version 3.1, revision 5, April 2017, CCMB-2017-04-001 CCp2 Common Criteria for Information Technology Security Evaluation, Part 2, version 3.1, revision 5, April 2017, CCMB-2017-04-002 CCp3 Common Criteria for Information Technology Security Evaluation, Part 3:, version 3.1, revision 5, April 2017, CCMB-2017-04-003 CEM Common Methodology for Information Technology Security Evaluation, version 3.1, revision 5, April 2017, CCMB-2017-04-004 ST Security Target for Dencrypt Server System version 5.0, Dencrypt A/S, 2021-06-22, document version 0.17 SP-002 SP-002 Evaluation and Certification, CSEC, 2020-11-30, document ver- sion 32.0 SP-188 SP-188 Scheme Crypto Policy, CSEC, 2020-11-03, document version 10.0 12.2 Documentation PREGUIDE Preparative guide & hosting requirements Dencrypt Server System 5.0, Dencrypt A/S, 2020-12-15, document version 1.4 OPGUIDE Operational User Guide Dencrypt Server System 5.0, Dencrypt A/S, 2020-12-15, document version 1.1 Swedish Certification Body for IT Security Certification Report - Dencrypt Server System 5.0 20FMV1983-26:1 1.0 2021-07-09 20 (20) Appendix A Scheme Versions During the certification the following versions of the Swedish Common Criteria Eval- uation and Certification scheme has been used. A.1 Scheme/Quality Management System Version Introduced Impact of changes 1.25 2021-06-17 None 1.24 2020-11-19 None 1.23.2 2020-05-11 None 1.23.1 Application Original version A.2 Scheme Notes Scheme Note Version Title Applicability SN-15 3.0 Demonstration of test coverage Clarify demonstration of test cover- age at EAL3. SN-18 3.0 Highlighted Re- quirements on the Security Tar- get Clarifications on the content of the ST. SN-22 3.0 Vulnerability Assessment Vulnerability assessment needs to be redone if 30 days or more has passed between AVA and the final version of the final evaluation report. SN-28 1.0 Updated proce- dures application, evaluation and certification Evaluator reports should be received in two batches.