MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 1 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es REF: 2008-4-INF-315 V1 Distribution: Public Date: 07.11.2008 Created: CERT8 Reviewed:TECNICO Approved: JEFEAREA CERTIFICATION REPORT FOR SECUWARE VIRTUAL SYSTEM v4.1.0.276 Dossier: 2008-4 Secuware Virtual System (SVS) v4.1.0.276 References: EXT-481 Certification Request of SVS v4.1.0.276 EXT-664 Evaluation Technical Report of SVS v4.1.0.276, 08-09-2008, v2.0, Epoche & Espri CCRA Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, May 2000. Certification Report of the product Secuware Virtual System (SVS), version 4.1.0.276, with certification request reference [EXT-481], of January 14th 2008, and evaluated by the laboratory Epoche & Espri, according to [CCRA], as described in the evaluation technical report [EXT-664] received on September 8th 2008. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 2 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Table Of Contents SUMMARY...........................................................................................................................................................3 TOE SUMMARY..................................................................................................................................................5 SECURITY ASSURANCE REQUIREMENTS .............................................................................................................6 SECURITY FUNCTIONAL REQUIREMENTS............................................................................................................6 IDENTIFICATION..............................................................................................................................................8 SECURITY POLICIES .......................................................................................................................................8 ASSUMPTIONS AND OPERATIONAL ENVIRONMENT............................................................................8 THREATS ............................................................................................................................................................8 OPERATIONAL ENVIRONMENT OBJECTIVES.........................................................................................................9 TOE ARCHITECTURE ......................................................................................................................................9 DOCUMENTS ....................................................................................................................................................10 TOE TESTING...................................................................................................................................................11 TOE CONFIGURATION..................................................................................................................................11 EVALUATION RESULTS................................................................................................................................11 COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM.......................................12 CERTIFIER RECOMMENDATIONS ............................................................................................................12 GLOSSARY........................................................................................................................................................12 BIBLIOGRAPHY...............................................................................................................................................13 SECURITY TARGET........................................................................................................................................13 MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 3 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Summary This document represents the Certification Report for certification dossier of product Secuware Virtual System (SVS), version 4.1.0.276. Secuware Virtual System (SVS) is a complete isolated combination of a security operating system called SOS, a optionally operating system (mainly Windows Embedded,Windows PE or Linux) and a set of applications (designed for SOS or the embedding OS). The combination of Embedded OS and applications is out of the TOE and it is referred as payload in the rest of the document. Secuware SVS warrants confidentiality and integrity in untrusted and virtualized environments. Although the virtual environment (e.g. Virtual Machine (VM) ware) uses the resources of the physical host PC, Secuware's security technology completely isolates those resources, ensuring that the payload and the rest of the SVS sensitive information cannot be accessed or modified by Internet-borne malware or unauthorised users. SVS is provided as a disk image, bootable by virtualization environments like VM ware. Developer/manufacturer: Secuware Sponsor: Secuware Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de Inteligencia (CNI). ITSEF: Epoche & Espri Protection Profile: none Evaluation Level: CC v3.1 EAL2 Evaluation end date: 08/09/2008 Taking into account the results obtained in the Security Analysis performed in every aspect covered by the evaluation activities, and the verdicts assigned to each class; it has been concluded that: The TOE Secuware Virtual System (SVS) 4.1.0.276 does fulfil all the requirements specified in its Security Target, and therefore, the laboratory Epoche & Espri assigns the verdict PASS to the evaluation. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 4 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Therefore, the Spanish Certification Body proposes the approving resolution of the requested certification. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 5 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es TOE Summary The TOE comprises the SVS image. SVS can be considered as a security system based on a fully encrypted disk image which allows only authorised users to transport and access the payload in a secure manner. SVS image has been designed to be loaded under a virtualization environment, like VM ware. Every time SVS boots, a new and completely clean environment is created, effectively preventing any malware from entering into the system. TOE guarantees the integrity and confidentiality of the payload as well as the integrity of the TOE itself. Any change in the content of the SVS image (including the payload) will lead to a rejection of the booting. The TOE relies in the enciphering of the binary image of the secured operating system and a CRC 32-bit verification mechanism to protect SVS from unauthorized modifications. Pre-boot authentication mechanism (PBA) assures that only the authorised user can load SVS and therefore access the payload it contains, guaranteeing its confidentiality. The user must authenticate to the SVS presenting his/her credentials. The credentials include the smart card eDNI (Spanish electronic Identification Card) and a user password. Due to the necessity of an external user secret (password), the security of the product is highly increased. SVS CC EAL2 configurations completely assure the integrity of SVS at the same time that the access to the payload is controlled. The TOE does not rely on its IT environment to achieve any of its required security properties. However, it is supposed that the platform where SVS is loaded is free from any keylogger or malware that could compromise the password provided by the user. Therefore, it is assumed the existence of a secure communication channel between the user and the TOE for the password transference. On the other hand, the TOE relies in a Virtual Environment for its execution and isolation from the underlying hardware platform. The TOE under the evaluated configuration requires VM ware virtualization software. Any operating system and hardware supported by this product is indirectly supported by the TOE. The asset of this TOE is the integrity and confidentiality of the user data (payload) and the integrity of the TSF itself. • TOE guarantees the integrity and confidentiality of the payload. TOE guarantees also that the payload does not compromise the overall security of the TOE, even if it has malicious behaviour. • TOE guarantees the integrity of the TOE itself, assuring that only an unmodified SVS image can be launched. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 6 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es • Pre-boot Authentication (PBA) ensures that only authorised users can load the SVS image and access the payload. • SVS could run from a floppy disk image – due to its small size – on an insecure environment or PC. Security Assurance Requirements The product was evaluated with all the evidences needed to satisfy the extent defined by the evaluation assurance level EAL2, according to the section 3 of CC v3.1 r2. ASE_INT.1 ST Introduction ASE_CCL.1 Conformance claims ASE_SPD.1 Security problem definition ASE_OBJ.2 Security objectives ASE_ECD.1 Extended components definition ASE_REQ.2 Derived security requirements ASE_TSS.1 TOE summary specification AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_CMC.2 Use of a CM system ALC_CMS.2 Parts of the TOE CM coverage ALC_DEL.1 Delivery procedures ADV_ARC.1 Security architecture description ADV_FSP.2 Security-enforcing functional specification ADV_TDS.1 Basic design ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional testing ATE_IND.2 Independent testing - sample AVA_VAN.2 Vulnerability analysis Security Functional Requirements The security functionality of the product Security Operating System satisfies the following functional requirements according to the section 2 of CC v3.1 r2: MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 7 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es FPT_FLS.1 Failure with preservation of secure state FDP_SDI.2 Stored data integrity monitoring and action FIA_UID.1 Timing of identification FIA_UAU.1 Timing of authentication FDP_ACC.2 Complete access control FMT_MSA.1 Management of security attributes FDP_ACF.1 Security attribute based access control MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 8 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Identification Product: Secuware Virtual System (SVS) v4.1.0.276 Security Target: SVS Security Target EAL2, v2.0 08-09-2008. Protection Profile: none Evaluation Level: CC v3.1 r2 EAL2 Security Policies This product does not implement any organizational policy. Assumptions and operational environment The following assumptions constrain the conditions over which the security properties and functionality referred in the security target is assured. In case of any of this assumptions couldn’t be assumed it wouldn’t be possible to assure the secure operation of the TOE. Assumption 01: < AS.SECCHANNEL > It is assumed that the environment where the TOE is loaded is free from any keylogger or malware that could compromise the password provided by the user. Therefore, it is assumed the existence of a secure communication channel between the user and the TOE for the password transference. Threats The following threats don’t mean an exploiting risk to the product Security Operating System; even against attackers with EAL2 “BASIC” attack potential while complaining with the assumptions and the security policies. The resistance to any other threat not included in this list is not assured as a result of the product properties evaluation and the corresponding certificate. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 9 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Threats covered: Threat 01: < T.INT > The TOE will be subject to attacks from untrusted IT elements from its IT environment. Any malware or untrusted IT element in the TOE environment, or even an untrusted user having access to the TOE may try to modify the integrity of the TOE payload or the TOE itself. Threat 02: < T.IMP > An unauthorized user attempts to impersonate a legitimate user, or to gain unauthorized execution of the TOE or unauthorized access to the payload. Thus, this threat is focused on compromising the confidentiality of the payload as well as subverting the access control mechanism implemented by the TOE. Operational environment objectives The product needs the environment collaboration to cover some of the objectives of the defined security problem. The following objectives are covered by the environment: Objective 01: < OE. SECCHANNEL > The TOE Environment shall provide the user with a secure communication channel between the user and the TOE for the password transference, in order to avoid the password compromise by any keylogger or malware. The details of either the product environment definition (assumptions, threats and security policies) or the security requirements of the TOE can be found on the Security Target. TOE Architecture Next figure shows the TOE logical boundary. The referenced elements are further described in next sections: MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 10 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Due to TOE nature (software product), there is no physical boundary. Pre Boot Authentication (PBA) PBA is the kernel of Secuware Virtual System. The principal PBA functionalities are encrypting and decrypting data transparently, user authentication and integrity verification. The pre-boot authentication feature prevents attackers from breaking into the system to attack secure environment. Payload The payload is part of the TOE, as the main asset to protect. It does not enforce any security properties of the TOE, and it can even be untrusted. In any case, the secure access to the payload is always ensured by the TOE. Payload integrity and confidentiality is assured by TOE Security Functions, but payload behaviour is completely out of the scope of TOE evaluation. However, TOE assures that payload behaviour – even malicious behaviour – does not compromise the claimed security requirements. Documents The product includes the following documents that must be delivered jointly to the users of the evaluated version. MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 11 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es • Secuware Virtual System – Security Target EAL2, v2.0, 08/09/2008 • Secuware Virtual System – Operational User Guidance, v1.4, 28/04/2008 • Secuware Virtual System – Preparative Procedures, v1.3, 17/04/2008 TOE Testing The approach defined for the developers testing plan is suitable to check the behaviour on the TOE through its interfaces. All the security interfaces TSFI defined are covered by test cases, and therefore the manufacturer test coverage is demonstrated. For all test cases, expected results match to the obtained results. The evaluator repeated all the test cases specified and checked that the results match to those obtained by the developer. The evaluator designed a set of test following a suitable strategy for the TOE type. The independent test plan includes test cases for all the TSFIs defined. TOE Configuration Following hardware requirements are needed for executing Secuware Virtual System. • Any Personal Computer or Server with basic memory and processor capabilities. Following software requirements are needed for executing Secuware Virtual System: • SVS needs Vmware Workstation version 4, 5 or 6 as well as Vmware Player 1 or 2 as the underlying virtualization software. Evaluation Results The product Secuware Virtual System (SVS) v4.1.0.276 has been evaluated against the security target “SVS Security Target EAL2”, v2.0 of September 8th 2008. All the assurance components required in an EAL2 evaluation have achieved the verdict “PASS”. Therefore, the laboratory Epoche & Espri assigns the verdict “PASS” MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 12 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es to the whole evaluation for satisfying all the evaluator actions defined in the Common Criteria and Common Evaluation Methodology version 3.1 r2. Comments & Recommendations from the Evaluation Team This section describes several important aspects that could influence the use of the product, taking into account the scope of the findings of the evaluation. 1. The use of virtualization Technologies allows an attacker with a moderate attack potential, to compromise the TOE integrity control mechanism. In case of disk encrypted systems with the key internally stored, the virtualisation techniques allows to install an hypervisor in the host and acquire an execution trace (and the memory content), locate the cipher loop and elicit the cipher keys allowing the replacement of the encrypted ISO parts with others. 2. The authentication with DNIe does not require the PIN allowing the possibility of user impersonation. Certifier Recommendations Taking into account the results obtained during the certification of the product Secuware Virtual System (SVS) 4.1.0.276 the Spanish Certification Body proposes the approving resolution of the requested certification. Glossary CCN Centro Criptológico Nacional CB Certification Body PBA Pre-boot authentication mechanism SOS Security Operating System eDNI Spanish electronic Identification Card IT Information Technology PC Personal Computer TOE Target of Evaluation GUI Graphical User Interface MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN Página 13 de 13 Avenida del Padre Huidobro s/n Fax: + 34 91 372 58 08 Email: certificación.ccn@cni.es Bibliography The following rules and documents have been used during the product evaluation: [CC_P1] Common Criteria for Information Technology Security Evaluation- Part 1: Introduction and general model, Version 3.1, r1, September 2007. [CC_P2] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements, Version 3.1, r1, September 2007. [CC_P3] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements, Version 3.1, r1, September 2007. [CEM] Common Evaluation Methodology for Information Technology Security: Introduction and general model, Version 3.1, r1, September 2007. Security Target In addition to this report, the Security Target is available at the Certification Body: “SVS Security Target EAL2” version 2.0, September 8th 2008.