Certification Report Page 1 KECS-CR-23-30 ubCUBE v3.7 Certification Report Certification No.: KECS-CISS-1236-2023 2023. 4. 28. IT Security Certification Center Certification Report Page 2 History of Creation and Revision No. Date Revised Pages Description 00 2023. 4. 28. - Certification report for ubCUBE v3.7 - First documentation Certification Report Page 3 This document is the certification report for ubCUBE v3.7 of Iqpad, Inc. The Certification Body IT Security Certification Center The Evaluation Facility KOREA TESTING & RESEARCH INSTITUTE (KTR) Certification Report Page 4 Table of Contents 1. Executive Summary ................................................................................................... 5 2. Identification............................................................................................................... 9 3. Security Policy.......................................................................................................... 10 4. Assumptions and Clarification of Scope ................................................................ 10 5. Architectural Information......................................................................................... 10 1. Physical Scope of TOE........................................................................................... 10 2. Logical Scope of TOE..............................................................................................11 6. Documentation ......................................................................................................... 14 7. TOE Testing............................................................................................................... 15 8. Evaluated Configuration .......................................................................................... 15 9. Results of the Evaluation......................................................................................... 16 10. Recommendations ................................................................................................... 19 11. Security Target.......................................................................................................... 20 12. Acronyms and Glossary .......................................................................................... 21 13. Bibliography ............................................................................................................. 23 Certification Report Page 5 1. Executive Summary This report describes the certification result drawn by the certification body on the results of the ubCUBE v3.7 developed by Iqpad, Inc. with reference to the Common Criteria for Information Technology Security Evaluation (“CC” hereinafter)[1]. It describes the evaluation result and its soundness and conformity. The Target of Evaluation (“TOE” hereinafter) is Electronic Document Encryption designed to protect important documents managed by the organization based on the encryption/decryption. Also, the TOE provides a variety of security features: security audit, the user identification and authentication including mutual authentication between TOE components, security management, the TOE access session management, and the TSF protection function, etc. The evaluation of the TOE has been carried out by KOREA TESTING & RESEARCH INSTITUTE(KTR) and completed on April 24, 2023. The ST claims conformance to the Korean National Protection Profile for Electronic Document Encryption V1.1[3]. All Security Assurance Requirements (SARs) in the ST are based only upon assurance component in CC Part 3, and the TOE satisfies the SARs of Evaluation Assurance Level EAL1+. Therefore, the ST and the resulting TOE is CC Part 3 conformant. The Security Functional Requirements (SFRs) are based upon both functional components in CC Part 2 and a newly defined component in the Extended Component Definition chapter of the PP, therefor the ST, and the TOE satisfies the SFRs in the ST. Therefore, the ST and the resulting TOE is CC Part 2 extended. [Figure 1] shows the operational environment where the TOE is operated. The TOE is composed of the ubCUBE ubPortal v3.7.0.3(hereinafter 'ubPortal'), ubCUBE Agent v3.7.0.3 (hereinafter 'Agent') and should be installed and operated inside the internal network of the protected organization. Certification Report Page 6 [Figure 1] Operational Environment of the TOE The administrator sets the policy for each document user through the ubCUBE ubPortal, which distributes the policy and cryptographic key configured by the administrator to the ubCUBE Agent. The ubCUBE Agent performs Electronic Document encryption/decryption using the validated cryptographic module according to the distributed policy, and the encrypted/decrypted document is stored in the user PC as a file. The 'ubXFS Cryptographic Module V1.1' validated cryptographic module is used for the cryptographic operation of the major security features of the TOE. For the communication between the TOE component and the administrator (e.g., the administrator accesses the ubCUBE ubPortal using the web browser to configure policies), TLS 1.2 is used. There are external entities necessary for the operation of the TOE including the NTP server to synchronize time and email server to notify the authorized administrator in case of audit data loss. The requirements for hardware, software, and operating system to install the TOE are as in [Table 1]. Certification Report Page 7 Component Requirement Remarks ubPortal H/W CPU Intel(R) Xeon(R) 3 GHz 6 core or higher - HDD Space required for TOE installation is 100 GB or higher - RAM 16 GB or higher - NIC 100/1000 Mbps 1 Port or higher - S/W OS Microsoft Windows Server 2012 R2 Standard (64bit) Supported operation systems of the ubPortal 3rd Party S/W Microsoft IIS 8.5 Microsoft .NET Framework 4.5 Microsoft .NET Framework 4.7 Microsoft ASP.NET 4.5 Microsoft SQL Server 2016 Third-party software required to run ubPortal Agent H/W CPU Intel i3 Dual Core 2.50 GHz or higher - HDD 4 GB or higher - RAM Space required for TOE installation is 10 GB or higher - NIC 100/1000 Mbps 1 Port or higher - S/W OS Microsoft Windows 10 Pro (64 bit) Microsoft Windows 10 Enterprise (64 bit) Supported operation systems of the Agent 3rd Party S/W Microsoft Visual C++ 2015 Redistributable Update 3 Microsoft Office 2010, 2013, 2016, 2019 Hancom Office 2010, 2014, 2018, NEO Adobe Acrobat Reader DC Third-party software required to run Agent [Table 1] Hardware/Software Requirements for the TOE External IT entities linked to the TOE operation are as follows. Certification Report Page 8 Classification Description SMTP Server Email server to send security alerts by email to the authorized administrator NTP Server Time server to synchronize time to provide reliable time stamp [Table 2] External IT entities Word processing programs that support Electronic Document Encryption are as follows. Application Document Type (file extension) MS Office Word doc, docx MS Office PowerPoint ppt, pptx MS Office Excel xls, xlsx Hancom Office hwp Adobe Acrobat Reader pdf [Table 3] Encryption/Decryption document types Certification Validity: The certificate is not an endorsement of the IT product by the government of Republic of Korea or by any other organization that recognizes or gives effect to this certificate, and no warranty of the IT product by the government of Republic of Korea or by any other organization recognizes or gives effect to the certificate, is either expressed or implied. Certification Report Page 9 2. Identification The TOE reference is identified as follows. TOE ubCUBE v3.7 Version 3.7.0.3 TOE Components - ubCUBE ubPortal v3.7.0.3 - ubCUBE Agent v3.7.0.3 Manuals - ubCUBE v3.7 Operation Guide(ubPortal) v1.1 - ubCUBE v3.7 Operation Guide(Agent) v1.1 - ubCUBE v3.7 Preparation Procedure v1.3 [Table 4] TOE Identification [Table 5] summarizes additional information for scheme, developer, sponsor, evaluation, facility, certification body, etc. Scheme Korea Evaluation and Certification Guidelines for IT Security (MSIT Notice No. 2022-61, October 31, 2022.) Korea Evaluation and Certification Regulation for IT Security (May 17, 2021) Common Criteria Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-001 ~ CCMB-2017-04-003, April 2017 TOE ubCUBE v3.7 EAL EAL1+ (ATE_FUN.1) Protection Profile Korean National PP for Electronic Document Encryption V1.1 (December 11, 2019) Developer Iqpad, lnc. Sponsor Iqpad, lnc. Evaluation Facility KOREA TESTING & RESEARCH INSTITUTE Completion Date of Evaluation April 24, 2023 [Table 5] Additional identification information Certification Report Page 10 3. Security Policy The TOE implements policies pertaining to the following security functional classes: - Security Audit - Cryptographic Support - User Data Protection - Identification and Authentication - Security Management - Prtoection of the TSF - TOE Access Complete details of the security functional requirements (SFRs) can be found in the Security Target (ST) [4]. 4. Assumptions and Clarification of Scope There are no Assumptions in the Security Problem Definition in the ST. The scope of this evaluation is limited to the functionality and assurance covered in the Security Target. This evaluation covers only the specific software version identified in this document, and not any earlier or later versions released or in process. (for the detailed information of TOE version and TOE Components version refer to the [Table 4]) 5. Architectural Information 1. Physical Scope of TOE The physical scope of the TOE consists of the TOE's components, namely ubCUBE ubPortal v3.7.0.3 and ubCUBE Agent v3.7.0.3 as well as guidance documents such as ubCUBE v3.7 Preparation Procedure and ubCUBE v3.7 Operation Guide, which are included in the product, ubCUBE v3.7. The TOE is offered in the form of software. Classification Identification Type TOE component ubCUBE ubPortal v3.7.0.3 (ubCUBE_v3.7_ubPortal_Setup_v3.7.0.3.exe) Software (Distributed as a Certification Report Page 11 ubCUBE Agent v3.7.0.3 (ubCUBE_v3.7_Agent_Setup_v3.7.0.3.exe) CD) Manuals ubCUBE v3.7 Operation Guide(ubPortal) v1.1 (OPE-ubCUBE_v3.7_ubPortal-v1.1.pdf) PDF (Distributed as a CD) ubCUBE v3.7 Operation Guide(Agent) v1.1 (OPE-ubCUBE_v3.7_Agent-v1.1.pdf) ubCUBE v3.7 Preparation Procedure v1.3 (PRE-ubCUBE_v3.7-v1.3.pdf) [Table 6] Physical scope of TOE Validated cryptographic modules included the TOE are as follows. Classification Description Cryptographic Module ubXFS Cryptographic Module V1.1 Validation No. CM-195-2026.11 Developer Iqpad, lnc. Validation Date 2021. 11. 18. Expiration Date 2026. 11. 18. [Table 7] Validated Cryptographic Module 2. Logical Scope of TOE The logical scope of the TOE is shown in the following figure. Certification Report Page 12 [Figure 2] Logical scope of the TOE ▣ Security Audit The TOE creates and records audit data of the events to the DBMS when a defined audit event occurs. Information including date and time of the event, type of event, subject identity, and result of event (success or failure) are stored in an audit record. The authorized administrator can view the stored audit records and search the records by event type and search conditions. If any potential security violation such as failure of authentication, integrity violation, failure of self-test, exceed of audit trail threshold, exceed of maximum size of audit trail is detected, the TOE sends an email to the administrator to inform the administrator of the potential violation. If audit trail exceeds maximum size, the TOE overwrites the oldest stored audit records to prevent a loss of audit data. ▣ Cryptographic support The TOE uses the 'ubXFS Cryptographic Module V1.1' validated cryptographic module to perform cryptographic key generation, distribution, destruction, and cryptographic operation. TOE generates 256bit DEK for document and TSF data encryption with Hash_DRBG (SHA- 256), KEK for DEK encryption is generated by NIST 800-132 KDF. DEK is securely Certification Report Page 13 distributed with a public key algorithm (RSAES-OAEP, 3072bit) between TOE components. Cryptographic operation for document and TSF data is performed with a symmetric algorithm (ARIA-CBC) whose key size is 256bit. TOE mutual authentication is performed with a public key algorithm (RSAES-OAEP, 3072bit), digital signature of policy data is performed with a digital signature algorithm (RSA-PSS, 3072bit), integration check of TSF data is performed with HMAC(SHA-256), and authentication data is encrypted with SHA- 256. A cryptographic key is securely destructed with zeroization in memory after use. ▣ User data protection The TOE performs access control of the authorized user on document encryption /decryption and use (Expiration date/Modification of permissions/Print) according to the security policy. The authorized administrator can set access control policy per document grade, user/department/group. The access control policy is set based on the security attribute of the user (ID, Allowed document grade, Department ID of the user, Group ID of the user) and the security attribute of protected a document (document type, expiration date). The following table shows the document types that the TOE supports encryption/decryption. Application Document Type (file extension) MS Office Word doc, docx MS Office PowerPoint ppt, pptx MS Office Excel xls, xlsx Hancom Office hwp Adobe Acrobat Reader pdf ▣ Identification and authentication The TOE performs mutual authentication between TOE components with the internally implemented authentication protocol, provides identification and authentication of administrator and user based on ID and password. Password is set by combination of each of alphabetical, numerical, and special characters and the length is at least 9 digits and less than 30 digits. The input characters of password are masked with "●" to prevent from disclosure. No feedback is provided on a reason for the failure if authentication fails. When the defined number set by the administrator of unsuccessful authentication attempts has been met, the account is locked out. Reuse of authentication data is prevented with time stamp. The system(global) policy is applied to the user before authentication and the user can access a protected document according to a policy after authentication. The administrator is authenticated through web browser and can perform security management function after authentication. Certification Report Page 14 ▣ Security Management TOE provides management of security functions, security attributes, and TSF data to the authorized administrator. The authorized administrator can manage security function including user and department, security policy, and administrator management through web browser and can manage important TSF data including authentication data, security policy data, and cryptographic key data as well. ▣ Protection of the TSF The TOE communicates securely to protect transmitted data between TOE components with a public key cryptographic algorithm and assures confidentiality and integrity with a validated cryptographic module. In addition, the TOE protects TSF data that is stored in the repository controlled by the TSF with encryption and digital signature in order to prevent unauthorized disclosure and modification. The TOE runs a suite of self-tests during initial start-up, periodically during normal operation to prevent unauthorized deletion of agent settings and ensure integrity. The TOE notifies the authorized administrator if an integrity violation is detected. The TOE prevents unauthorized deletion of agent files and unauthorized termination of agent processes with periodic monitoring between agent processes related to the TOE. ▣ TOE access The TOE provides a management function to register IP addresses that are allowed for management access and performs an access control function that management access is allowed only from a registered IP address. The TOE also restricts the number of maximum concurrent sessions belonging to the same user and permission as 1. The TOE terminates an interactive session of the authorized administrator after 5 minutes of inactivity. 6. Documentation The following documentation is evaluated and provided with the TOE by the developer to the customer. Identification Date ubCUBE v3.7 Operation Guide(ubPortal) v1.1 (OPE-ubCUBE_v3.7_ubPortal-v1.1.pdf) April 6, 2023 ubCUBE v3.7 Operation Guide(Agent) v1.1 (OPE-ubCUBE_v3.7_Agent-v1.1.pdf) April 6, 2023 ubCUBE v3.7 Preparation Procedure v1.3 (PRE-ubCUBE_v3.7-v1.3.pdf) April 7, 2023 [Table 8] Documentation Certification Report Page 15 7. TOE Testing The evaluator conducted independent testing listed in Independent Testing Report [5], based upon test cases devised by the evaluator. The evaluator took a testing approach based on the security services provided by each TOE components based on the operational environment of the TOE. Each test case includes the following information: - Test no. and conductor: Identifier of each test case and its conductor - Test Purpose: Includes the security functions and modules to be tested - Test Configuration: Details about the test configuration - Test Procedure detail: Detailed procedures for testing each security function - Expected result: Result expected from testing - Actual result: Result obtained by performing testing - Test result compared to the expected result: Comparison between the expected and actual result The evaluator set up the test configuration and testing environment consistent with the ST [4]. In addition, the evaluator conducted penetration testing based upon test cases devised by the evaluator resulting from the independent search for potential vulnerabilities. These tests cover weakness analysis of privilege check of executable code, bypassing security functionality, invalid inputs for interfaces, vulnerability scanning using commercial tools, disclosure of secrets, and so on. No exploitable vulnerabilities by attackers possessing basic attack potential were found from penetration testing. The evaluator confirmed that all the actual testing results correspond to the expected testing results. The evaluator testing effort, the testing approach, configuration, depth, and results are summarized in the Penetration Testing Report [6]. 8. Evaluated Configuration The TOE is software consisting of the following components: TOE: ubCUBE v3.7 Version: 3.7.0.3 - ubCUBE ubPortal v3.7.0.3 - ubCUBE Agent v3.7.0.3 The Administrator can identify the complete TOE reference after installation using the Certification Report Page 16 product’s Info check menu. And the guidance documents listed in this report chapter 6 were evaluated with the TOE 9. Results of the Evaluation The evaluation facility wrote the evaluation result in the ETR which references Single Evaluation Reports for each assurance requirement and Observation Reports. The evaluation result was based on the CC [1] and CEM [2]. The TOE was evaluated based on Common Criteria for Information Technology Security Evaluation. (EAL1+). 1. Security Target Evaluation (ASE) The ST Introduction correctly identifies the ST and the TOE, and describes the TOE in a narrative way at three levels of abstraction (TOE reference, TOE overview and TOE description), and these three descriptions are consistent with each other. Therefore, the verdict PASS is assigned to ASE_INT.1. The Conformance Claim properly describes how the ST and the TOE conform to the CC and how the ST conforms to PPs and packages. Therefore, the verdict PASS is assigned to ASE_CCL.1. The Security Objectives for the operational environment are clearly defined. Therefore, the verdict PASS is assigned to ASE_OBJ.1. The Extended Components Definition has been clearly and unambiguously defined, and it is necessary. Therefore, the verdict PASS is assigned to ASE_ECD.1. The Security Requirements is defined clearly and unambiguously, and they are internally consistent. Therefore, the verdict PASS is assigned to ASE_REQ.1. The TOE Summary Specification addresses all SFRs, and it is consistent with other narrative descriptions of the TOE. Therefore, the verdict PASS is assigned to ASE_TSS.1. Thus, the ST is sound and internally consistent, and suitable to be used as the basis for the TOE evaluation. The verdict PASS is assigned to the assurance class ASE. 2. Development Evaluation (ADV) The functional specifications specify a high-level description of the SFR-enforcing and SFR- Certification Report Page 17 supporting TSFIs, in terms of descriptions of their parameters. Therefore, the verdict PASS is assigned to ADV_FSP.1. The verdict PASS is assigned to the assurance class ADV. 3. Guidance Documents Evaluation (AGD) The procedures and steps for the secure preparation of the TOE have been documented and result in a secure configuration. Therefore, the verdict PASS is assigned to AGD_PRE.1. The operational user guidance describes for each user role the security functionality and interfaces provided by the TSF, provides instructions and guidelines for the secure use of the TOE, addresses secure procedures for all modes of operation, facilitates prevention and detection of insecure TOE states, or it is misleading or unreasonable. Therefore, the verdict PASS is assigned to AGD_OPE.1. Thus, the guidance documents are adequately describing the user can handle the TOE in a secure manner. The guidance documents take into account the various types of users (e.g. those who accept, install, administrate or operate the TOE) whose incorrect actions could adversely affect the security of the TOE or of their own data. The verdict PASS is assigned to the assurance class AGD. 4. Life Cycle Support Evaluation (ALC) The developer has clearly identified the TOE. Therefore, the verdict PASS is assigned to ALC_CMC.1. The configuration management document verifies that the configuration list includes the TOE and the evaluation evidence. Therefore, the verdict PASS is assigned to ALC_CMS.1. Also, the evaluator confirmed that the correct version of the software is installed in device. The verdict PASS is assigned to the assurance class ALC. 5. Test Evaluation (ATE) The developer correctly performed and documented the tests in the test documentation. Therefore the verdict PASS is assigned to ATE_FUN.1. Certification Report Page 18 By independently testing a subset of the TSFI, the evaluator confirmed that the TOE behaves as specified in the functional specification and guidance documentation. Therefore, the verdict PASS is assigned to ATE_IND.1. Thus, the TOE behaves as described in the ST and as specified in the evaluation evidence (described in the ADV class). The verdict PASS is assigned to the assurance class ATE. 6. Vulnerability Assessment (AVA) By penetrating testing, the evaluator confirmed that there are no exploitable vulnerabilities by attackers possessing basic attack potential in the operational environment of the TOE. Therefore, the verdict PASS is assigned to AVA_VAN.1. Thus, potential vulnerabilities identified, during the evaluation of the development and anticipated operation of the TOE or by other methods (e.g. by flaw hypotheses), don’t allow attackers possessing basic attack potential to violate the SFRs. The verdict PASS is assigned to the assurance class AVA. 7. Evaluation Result Summary Assurance Class Assurance Component Evaluator Action Elements Verdict Evaluator Action Elements Assurance Component Assurance Class ASE ASE_INT.1 ASE_INT.1.1E PASS PASS PASS ASE_INT.1.2E PASS ASE_CCL.1 ASE_CCL.1.1E PASS PASS ASE_OBJ.1 ASE_OBJ.1.1E PASS PASS ASE_ECD.1 ASE_ECD.1.1E PASS PASS ASE_ECD.1.2E PASS ASE_REQ.1 ASE_REQ.1.1E PASS PASS ASE_TSS.1 ASE_TSS.1.1E PASS PASS Certification Report Page 19 Assurance Class Assurance Component Evaluator Action Elements Verdict Evaluator Action Elements Assurance Component Assurance Class ASE_TSS.1.2E PASS ADV ADV_FSP.1 ADV_FSP.1.1E PASS PASS PASS ADV_FSP.1.2E PASS AGD AGD_PRE.1 AGD_PRE.1.1E PASS PASS PASS AGD_PRE.1.2E PASS AGD_OPE.1 AGD_OPE.1.1E PASS PASS ALC ALC_CMC.1 ALC_CMC.1.1E PASS PASS PASS ALC_CMS.1 ALC_CMS.1.1E PASS PASS ATE ATE_FUN.1 ATE_FUN.1.1E PASS PASS PASS ATE_IND.1 ATE_IND.1.1E PASS PASS ATE_IND.1.2E PASS AVA AVA_VAN.1 AVA_VAN.1.1E PASS PASS PASS AVA_VAN.1.2E PASS AVA_VAN.1.3E PASS [Table 7] Evaluation Result Summary 10. Recommendations The TOE security functionality can be ensured only in the evaluated TOE operational environment with the evaluated TOE configuration, thus the TOE shall be operated by complying with the followings: ⚫ The Server must be installed and operated in a physically secure environment accessible only by authorized administrators and should not allow remote management from outside. Certification Report Page 20 ⚫ The administrator shall maintain a safe state such as application of the latest security patches, eliminating unnecessary service, change of the default ID/password, etc., of the operating system and DBMS in the TOE operation. ⚫ The administrator should periodically checks a spare space of audit data storage in case of the audit data loss, and carries out the audit data backup to prevent audit data loss. 11. Security Target ubCUBE v3.7 Security Target V1.2 [4] is included in this report for reference. Certification Report Page 21 12. Acronyms and Glossary (1) Acronyms CC Common Criteria CEM Common Methodology for Information Technology Security Evaluation EAL Evaluation Assurance Level ETR Evaluation Technical Report SAR Security Assurance Requirement SFR Security Functional Requirement ST Security Target TOE Target of Evaluation TSF TOE Security Functionality TSFI TSF Interface (2) Glossary Authorized Document User The TOE user who may, in accordance with the SFRs, perform an operation Authorized Administrator Authorized user to securely operate and manage the TOE Data Encryption Key (DEK) Key that encrypts the data Decryption Certification Report Page 22 The act that restoring the ciphertext into the plaintext using the decryption key Encryption The act that converting the plaintext into the ciphertext using the cryptographic key External Entity An entity (person or IT object) that interact (or can interact) with the TOE from outside the TOE. Key Encryption Key (KEK) Key that encrypts another cryptographic key Random Bit Generator (RBG) A device or algorithm that outputs a binary sequence that is statistically independent and is not biased. The RBG used for cryptographic application generally generates 0 and 1 bit string, and the sequence can be combined into a random bit block. The RBG is classified into the deterministic and non-deterministic type. The deterministic type RBG is composed of an algorithm that generates bit strings from the initial value called a "seed key," and the non-deterministic type RBG produces output that depends on the unpredictable physical source. Validated Cryptographic Module A cryptographic module that is validated and given a validation number by validation authority Word Processing Program Program used to process the important documents, such as generation, modification, manipulation, and print of documents (e.g., Hangul word processor, MS word processor, Certification Report Page 23 Acrobat, Excel, Computer Aided Design(CAD), etc.) 13. Bibliography The evaluation facility has used following documents to produce this report. [1] Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-001 ~ CCMB-2017-04-003, April, 2017 [2] Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-004, April, 2017 [3] Korean National Protection Profile for Electronic Document Encryption V1.1, December 11, 2019 [4] ubCUBE v3.7 Security Target V1.2, April 10, 2023 [5] ubCUBE v3.7 Independent Testing Report(ATE_IND.1) V1.00, April 10, 2023 [6] ubCUBE v3.7 Penetration Testing Report(AVA_VAN.1) V1.00, April 10, 2023