Ärendetyp: 6 Diarienummer: 17FMV3668-32:1 Dokument ID CB-015 Template: 015 Certification Report - Template.dot, 7.0 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2017-11-30 Country of origin: Sweden Försvarets materielverk Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 Issue: 1.0, 2017-nov-30 Authorisation: Jerry Johansson, Lead certifier , CSEC Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 2 (15) Table of Contents 1 Executive Summary 3 2 Identification 4 3 Security Policy 5 3.1 Secure File and Free Disk Space Erasure 5 3.2 Reporting 5 4 Assumptions and Clarification of Scope 6 4.1 Usage Assumptions 6 4.2 Environmental Assumptions 6 4.3 Clarification of Scope 6 5 Architectural Information 7 6 Documentation 8 7 IT Product Testing 9 7.1 Developer Testing 9 7.2 Evaluator Testing 9 7.3 Penetration Testing 9 8 Evaluated Configuration 10 9 Results of the Evaluation 11 10 Evaluator Comments and Recommendations 12 11 Glossary 13 12 Bibliography 14 Appendix A Scheme Versions 15 A.1 Scheme/Quality Management System 15 A.2 Scheme Notes 15 Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 3 (15) 1 Executive Summary Blancco File Eraser 8.2 is a software utility for secure erasure of files and free disk space. There are three editions: - Home Edition - with graphical user interface , runs on Windows 7, 8, and 10. - Enterprise Edition - with graphical user interface and command-line interface, runs on Windows 7, 8, and 10. - Data Center Edition - with graphical user interface and command-line interface, runs on Windows 7, 8, 10, and Windows Server 2008, and 2012. The evaluation covers both 32 bit and 64 bit versions of Windows, and the file sys- tems FAT32, exFAT, and NTFS. The TOE also works on older Windows versions, but these are outside the evaluated configuration. Also, the Management Console is outside the scope of the evaluation. The Security Target does not claim conformance to any Protection Profile. There are four assumptions being made in the ST regarding the secure usage and envi- ronment of the TOE. The TOE relies on these to counter the one threat and comply with the one organisational security policy (OSP) in the ST. The assumptions, the threat and the OSP are described in chapter 4 Assumptions and Clarification of Scope. The evaluation has been performed by atsec information security AB in their premises in Danderyd, Sweden. The evaluation was completed in 2017-11-20. The evaluation was conducted in ac- cordance with the requirements of Common Criteria (CC), version 3.1 revision 5. atsec information security AB is a licensed evaluation facility for Common Criteria under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in- formation security AB is also accredited by the Swedish accreditation body according to ISO/IEC 17025 for Common Criteria. The certifier monitored the activities of the evaluator by reviewing all successive ver- sions of the evaluation reports. The certifier determined that the evaluation results confirm the security claims in the Security Target (ST) and the Common Methodology for evaluation assurance level EAL 2 augmented by ALC_FLR.2. The technical information in this report is based on the Security Target (ST) and the Final Evaluation Report (FER) produced by atsec information security AB. The certification results only apply to the version of the product indicated in the cer- tificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other organ- isation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 4 (15) 2 Identification Certification Identification Certification ID CSEC2017003 Name and version of the certified IT product Blancco File Eraser 8.2 Home Edition Blancco File Eraser 8.2 Enterprise Edition Blancco File Eraser 8.2 Data Center Edition Security Target Identification Blancco File Eraser Security Target, Blancco Tech- nology Group IP Oy, 2017-11-10, document version 1.4 EAL EAL 2 + ALC_FLR.2 Sponsor Blancco Technology Group IP Oy Developer Blancco Technology Group IP Oy ITSEF atsec information security AB Common Criteria version 3.1 release 5 CEM version 3.1 release 5 QMS version 1.21 Recognition Scope CCRA, SOGIS, and EA/MLA Certification date 2017-11-30 Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 5 (15) 3 Security Policy The TOE provides the following services: - Secure File and Free Disk Space Erasure - Reporting 3.1 Secure File and Free Disk Space Erasure The TOE erases data, either comprising a file or unallocated space on a target storage device, by overwriting the data with a selected bit pattern (or sequence of overwrites and verification reading). It is possible to erase system files, and there is a special op- tion to erase the recycle bin. 3.2 Reporting Each data erasure by the TOE results in a report, specifying for example: - success/failure, duration, erase method - number of erased files, name of erased files, size of erased files - whether previous versions of files were erased - OS, computer name, Blancco File Erase version. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 6 (15) 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The Security Target [ST] makes one assumption on the usage of the TOE. A.Users Personnell using the TOE must have been trained, competent and follow all applicable guidance documentation. 4.2 Environmental Assumptions The Security Target [ST] makes three assumptions on the operational environment of the TOE. A.Platform The underlying hardware, firmware and the operating system functions needed by the TOE to guarantee secure operation, are working correctly and have no undocumented security critical side effect on the functions of the TOE. A.Time The platform must provide a time stamp and ensure that the time is correctly set. A.Repository The operational environment must provide storage to retain reports generated by the TOE in order to use them later for auditing/erasure proof requirements. 4.3 Clarification of Scope The Security Target contains one threat, which has been considered during the evalua- tion. T.Recovery A threat agent gains access to a storage device after sensitive data files have been im- properly (logically only) erased and is able to recover the contents of the file(s) using software or hardware tools. The Security Target contains one Organisational Security Policy (OSP), which has been considered during the evaluation. P.Report The TOE will report the results of an erasure process providing an indication of the success (or otherwise) and details about how and when it was performed. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 7 (15) 5 Architectural Information The TOE is software only, is delivered electronically, and is available in three Edi- tions: - Blancco Eraser 8.2 Home Edition - Blancco Eraser 8.2 Enterprise Edition - Blancco Eraser 8.2 Data Center Edition Note that only the Data Center Edition can be installed on server versions of Win- dows. All three editions have a graphical user interface, accessible by executing the BlanccoFileEraser.exe application. The Enterprise Edition and Data Center Edition al- so feature a separate command-line interface, provided by the separate executable BlanccoFileEraserCmd.exe. The command-line version is suitable for scheduling. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 8 (15) 6 Documentation The following guidance documents are included in the scope of the TOE: Blancco File Eraser, User Manual for version 8.2 Blancco File Eraser, Administrator's Manual for version 8.2 Blancco File Eraser, Common Criteria Supplement for version 8.2 Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 9 (15) 7 IT Product Testing 7.1 Developer Testing The developer has used automated testing where feasible, and some complementary manual testing. The developer testing covers all SFRs in detail, including verification of all sequences of overwrite patterns and verification readings within the scope of the evaluation. Each edition of the TOE (Home Edition, Enterprise Edition, and Data Center Edition) was completely tested on each of the supported operating systems (Windows 7, Win- dows 8, Windows 10, Windows Server 2008, and Windows Server 2012). Both the graphical user interface and the command-line interface was completely tested, except for the Home Edition, which only has a graphic user interface. 7.2 Evaluator Testing The evaluators repeated a subset of the developer's tests, and 27 additional tests using the Enterprise Edition of the TOE on Windows 10 for the released version 8.2. The same evaluator testing also was performed using the RC7 (release candidate 7) version of the Data Center Edition on Windows Server 2012 (the released version is RC8). 7.3 Penetration Testing The evaluators used the Home Edition on Windows 10, and the Data Center Edition on Windows Server 2008 to perform penetration testing. The penetration testing focussed on some issues with erasing SSD and flash drives, erasing small files (less than 4 kB), and erasure of large files (4GB on FAT32, larger on exFAT and NTFS). Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 10 (15) 8 Evaluated Configuration The TOE provides a large number of erasure methods, but only six of these have been covered by the evaluation: - HMG Infosec Standard 5, Lower Standard - HMG Infosec Standard 5, Higher Standard - US DoD Sanitizing (DoD 5220-22-M) - NSA 130-1 - NIST SP 800-88 Clear - Aperiodic random overwrite There are no claims that the TOE conforms to the standards as such, but the overwrite patterns and the overwrite and verification sequences used match the descriptions in the standard documents referenced in the ST. The evaluation covers the use of the TOE on the following operating systems: - Windows 7 - Windows 8 - Windows 10 - Windows Server 2008 - Windows Server 2012 The TOE will also function on some earlier versions of Windows, but this is consid- ered outside the evaluated configuration. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 11 (15) 9 Results of the Evaluation The evaluators applied each work unit of the Common Methodology [CEM] within the scope of the evaluation, and concluded that the TOE meets the security objectives stated in the Security Target [ST] for an attack potential of 1 . The certifier reviewed the work of the evaluator and determined that the evaluation was conducted in accordance with the Common Criteria [CC]. The evaluators overall verdict is PASS. The verdicts for the assurance classes and components are summarised in the follow- ing table: Assurance Class/Family Component Verdict Development ADV PASS Security Architecture ADV_ARC.1 PASS Functional Specification ADV_FSP.2 PASS TOE Design ADV_TDS.1 PASS Guidance Documents AGD PASS Operational User Guidance AGD_OPE.1 PASS Preparative Procedures AGD_PRE.1 PASS Life-cycle Support ALC PASS CM Capabilities ALC_CMC.2 PASS CM Scope ALC_CMS.2 PASS Delivery ALC_DEL.1 PASS Flaw Remediation ALC_FLR.2 PASS Security Target Evaluation ASE PASS ST Introduction ASE_INT.1 PASS Conformance Claims ASE_CCL.1 PASS Security Problem Definition ASE_SPD.1 PASS Security Objectives ASE_OBJ.2 PASS Extended Components Definition ASE_ECD.1 PASS Security Requirements ASE_REQ.2 PASS TOE Summary Specification ASE_TSS.1 PASS Tests ATE PASS Coverage ATE_COV.1 PASS Functional Tests ATE_FUN.1 PASS Independent Testing ATE_IND.2 PASS Vulnerability Assessment AVA PASS Vulnerability Analysis AVA_VAN.2 PASS 1 State the level of attack potential that is applicaple. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 12 (15) 10 Evaluator Comments and Recommendations None. Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 13 (15) 11 Glossary CC Common Criteria for Information Technology Security, a set of three documents describing different aspects of Common Criteria evaluations CEM Common Methodology for Information Technology Security, document describing the methodology used in Common Cri- teria evaluations ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme ST Security Target, document containing security requirements and specifications , used as the basis of a TOE evaluation TOE Target of Evaluation SFR Security Functional Requirement, a requirement included in the ST, on the TOE TSF TOE Security Function(s), the part of TOE that implements security mechanisms, as defined in the ST Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 14 (15) 12 Bibliography ST Blancco File Eraser Security Target, Blancco Technology Group IP Oy, 2017-11-24, document version 2.0 USER Blancco File Eraser, User Manual for version 8.2, Blancco Technolo- gy Group IP Oy, 2017-09-19 ADM Blancco File Eraser, Administrator's Manual for version 8.2, Blancco Technology Group IP Oy, 2017-09-19 CCSuppl Blancco File Eraser, Common Criteria Supplement for version 8.2, Blancco Technology Group IP Oy, 2017-11-10 CC Common Criteria for Information Technology Security Evaluation, CCMB-2017-04-001 through 003, document versions 3.1 revision 5 CEM Common Criteria for Information Technology Security Evaluation, CCMB-2017-04-001 through 003, document versions 3.1 revision 5 Swedish Certification Body for IT Security Certification Report - Blancco File Eraser 8.2 17FMV3668-32:1 1.0 2017-11-30 CB-015 15 (15) Appendix A Scheme Versions A.1 Scheme/Quality Management System During the certification the following versions of the Swedish Common Criteria Eval- uation and Certification scheme has been used. Version Introduced Impact of changes 1.21 2017-11-15 None 1.20.5 2017-06-28 None 1.20.4 Application Initial version A.2 Scheme Notes The following Scheme Notes have been considered during the evaluation: • Scheme Note 15 - Demonstration of test coverage • Scheme Note 18 - Highlighted Requirements on the Security Target