National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Protection Profile for Application Software
Version 1.3
31 January 2020
Report Number: CCEVS-VR-PP-0057
Dated: 31 January 2020
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Assurance Directorate
9800 Savage Road STE 6940
Fort George G. Meade, MD 20755-6940
Information Technology Laboratory
100 Bureau Drive
Gaithersburg, MD 20899
®
TM
ACKNOWLEDGEMENTS
Common Criteria Testing Laboratory
Base and Additional Requirements
Gossamer Security Solutions
Catonsville, Maryland
Table of Contents
1 Executive Summary................................................................................................................. 1
2 Identification............................................................................................................................ 2
3 PP_APP_V1.3 Description...................................................................................................... 3
4 Security Problem Description and Objectives......................................................................... 4
4.1 Assumptions..................................................................................................................... 4
4.2 Threats.............................................................................................................................. 4
4.3 Organizational Security Policies...................................................................................... 4
4.4 Security Objectives .......................................................................................................... 4
5 Functional Requirements......................................................................................................... 7
6 Assurance Requirements ......................................................................................................... 9
7 Results of the Evaluation....................................................................................................... 10
8 Glossary................................................................................................................................. 11
9 Bibliography.......................................................................................................................... 12
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
1
1 Executive Summary
This report documents the assessment of the National Information Assurance Partnership (NIAP)
validation team of the evaluation of the Protection Profile for Application Software, Version 1.3
(PP_APP_V1.3). It presents a summary of the PP_APP_V1.3 and the evaluation results.
Gossamer Security Solutions, located in Catonsville, Maryland, performed the evaluation of
PP_APP_V1.3 concurrent with the first product evaluation against the PP’s requirements. The
evaluated product was Samsung Knox File Encryption 1.0.
This evaluation addressed the base requirements of PP_APP_V1.3 and several of the additional
requirements contained in Appendices A, B, and C.
The Validation Report (VR) author independently performed an additional review of the PP as
part of the completion of this VR, to confirm it meets the claimed APE assurance requirements.
The evaluation determined that PP_APP_V1.3 is both Common Criteria Part 2 Extended and Part
3 Extended. The PP identified in this VR has been evaluated at a NIAP approved Common Criteria
Testing Laboratory (CCTL) using the Common Methodology for IT Security Evaluation (Version
3.1, Release 5) for conformance to the Common Criteria for IT Security Evaluation (Version 3.1,
Release 5). The Security Target (ST) includes material from the PP_APP_V1.3 and PP-Module
for File Encryption, Version 1.0; completion of the ASE work units satisfied the APE work units
for PP_APP_V1.3, but only for those parts of the ST that were relevant to this PP.
The evaluation laboratory conducted this evaluation in accordance with the provisions of the NIAP
Common Criteria Evaluation and Validation Scheme (CCEVS). The conclusions of the testing
laboratory in the evaluation technical report are consistent with the evidence given.
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
2
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and
Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations.
Under this program, security evaluations are conducted by commercial testing laboratories called
CCTLs. CCTLs evaluate products against PPs that contain Evaluation Activities, which are
interpretations of CEM work units specific to the technology described by the PP.
In order to promote thoroughness and efficiency, the evaluation of PP_APP_V1.3 was performed
concurrent with the first product evaluation against the PP’s requirements. In this case, the
Target of Evaluation (TOE) was Samsung Knox File Encryption 1.0, evaluated by Gossamer
Security Solutions in Catonsville, Maryland, United States of America.
These evaluations addressed the base requirements of PP_APP_V1.3, and several of the additional
requirements contained in Appendices A, B, and C.
PP_APP_V1.3 contains a set of base requirements that all conformant STs must include, and
additionally contains optional, selection-based, and objective requirements. Optional requirements
may or may not be included within the scope of the evaluation, depending on whether the vendor
provides that functionality within the tested product and chooses to include it inside the TOE
boundary. Selection-based requirements are those that must be included based upon the selections
made in other requirements and the capabilities of the TOE. Objective requirements specify
optional functionality that the PP authors consider candidates for becoming mandatory
requirements in the future.
A specific ST may not include all non-base requirements, so the initial use of the PP addresses (in
terms of the PP evaluation) the base requirements and any additional requirements incorporated
into the initial ST. The VR authors have evaluated all discretionary requirements that were not
claimed in the initial TOE evaluation as part of the evaluation of the APE_REQ work units
performed against PP_APP_V1.3. When an evaluation laboratory evaluates a TOE against any
additional requirements not already referenced in this VR through an existing TOE evaluation, the
VR may be amended to include references to this as additional evidence that the corresponding
portions of PP_APP_V1.3 were evaluated.
The following identifies the PP subject of the evaluation or validation, as well as the supporting
information from the evaluation performed against this PP.
Protection Profile Protection Profile for Application Software, Version 1.3, 01 March 2019.
ST (Base) Samsung Electronics Co., Ltd. Samsung Knox File Encryption
(PP_APP_V1.3/MOD_FE_V1.0) Security Target, Version 0.5, 06 December 2019
Assurance Activity
Report (Base)
Assurance Activity Report (ASPP13/FEM10) for Samsung Electronics Co., Ltd.
Samsung Knox File Encryption, Version 0.5, 06 December 2019
CC Version Common Criteria for Information Technology Security Evaluation, Version 3.1, Release
5
Conformance Result CC Part 2 Extended, CC Part 3 Extended
CCTL Gossamer Security Solutions
Catonsville, Maryland 21228
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
3
3 PP_APP_V1.3 Description
The PP_APP_V1.3 specifies information security requirements for application software, as well
as the assumptions, threats, organizational security policies, objectives, and requirements of a
compliant TOE.
The application, which consists of the software provided by its vendor, is installed onto the
platform(s) it operates on. It executes on the platform, which may be an operating system,
hardware environment, a software based execution environment, or some combination of these.
Those platforms may themselves run within other environments, such as virtual machines or
operating systems that completely abstract away the underlying hardware from the application.
The TOE is not accountable for security functionality that is implemented by platform layers that
are abstracted away. Some evaluation activities are specific to the particular platform on which the
application runs, in order to provide precision and repeatability. The only platforms currently
recognized by the App PP are those specified in SFR Evaluation Activities. To test on a platform
for which there are no EAs, a Vendor should contact NIAP with recommended EAs. NIAP will
determine if the proposed platform is appropriate for the PP and accept, reject, or develop EAs as
necessary in coordination with the technical community.
Applications include a diverse range of software such as office suites, thin clients, PDF readers,
downloadable smartphone apps, and apps running in a cloud container. The TOE includes any
software in the application installation package, even those pieces that may extend or modify the
functionality of the underlying platform, such as kernel drivers. Many platforms come bundled
with applications such as web browsers, email clients and media players and these too should be
considered subject to the requirements defined in this document although the expectation of formal
Common Criteria evaluation depends upon the national scheme. BIOS and other firmware, the
operating system kernel, and other systems software (and drivers) provided as part of the platform
are outside the scope of this document.
This Protection Profile (PP) describes security requirements for application software, which is the
Target of Evaluation (TOE).
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
4
4 Security Problem Description and Objectives
4.1 Assumptions
The specific conditions listed in the following subsections are assumed to exist in the TOE’s
Operational Environment. These assumptions include both practical realities in the development
of the TOE security requirements and the essential environmental conditions on the use of the
TOE.
Table 1: Assumptions
Assumption Name Assumption Definition
A.PLATFORM The TOE relies upon a trustworthy computing platform for its
execution. This includes the underlying platform and whatever
runtime environment it provides to the TOE.
A.PROPER_USER The user of the application software is not willfully negligent or
hostile, and uses the software in compliance with the applied
enterprise security policy.
A.PROPER_ADMIN The administrator of the application software is not careless, willfully
negligent or hostile, and administers the software in compliance with
the applied enterprise security policy.
4.2 Threats
The following table contains applicable threats.
Table 2: Threats
Threat Name Threat Definition
T.NETWORK_ATTACK An attacker is positioned on a communications channel or elsewhere
on the network infrastructure. Attackers may engage in
communications with the application software or alter
communications between the application software and other endpoints
in order to compromise it.
T.NETWORK_EAVESDROP An attacker is positioned on a communications channel or elsewhere
on the network infrastructure. Attackers may monitor and gain access
to data exchanged between the application and other endpoints.
T.LOCAL_ATTACK An attacker can act through unprivileged software on the same
computing platform on which the application executes. Attackers may
provide maliciously formatted input to the application in the form of
files or other local communications.
T.PHYSICAL_ACCESS An attacker may try to access sensitive data at rest.
4.3 Organizational Security Policies
This protection profile contains no organizational security policies.
4.4 Security Objectives
The following table contains security objectives for the TOE.
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
5
Table 3: Security Objectives for the TOE
TOE Security Objective TOE Security Objective Definition
O.INTEGRITY Conformant TOEs ensure the integrity of their installation and update
packages, and also leverage execution environment-based
mitigations. Software is seldom, if ever, shipped without errors. The
ability to deploy patches and updates to fielded software with integrity
is critical to enterprise network security. Processor manufacturers,
compiler developers, execution environment vendors, and operating
system vendors have developed execution environment-based
mitigations that increase the cost to attackers by adding complexity to
the task of compromising systems. Application software can often
take advantage of these mechanisms by using APIs provided by the
runtime environment or by enabling the mechanism through compiler
or linker options.
O.QUALITY To ensure quality of implementation, conformant TOEs leverage
services and APIs provided by the runtime environment rather than
implementing their own versions of these services and APIs. This is
especially important for cryptographic services and other complex
operations such as file and media parsing. Leveraging this platform
behavior relies upon using only documented and supported APIs.
O.MANAGEMENT To facilitate management by users and the enterprise, conformant
TOEs provide consistent and supported interfaces for their security-
relevant configuration and maintenance. This includes the
deployment of applications and application updates through the use of
platform-supported deployment mechanisms and formats, as well as
providing mechanisms for configuration. This also includes providing
control to the user regarding disclosure of any PII.
O.PROTECTED_STORAGE To address the issue of loss of confidentiality of user data in the event
of loss of physical control of the storage medium, conformant TOEs
will use data-at-rest protection. This involves encrypting data and
keys stored by the TOE in order to prevent unauthorized access to this
data. This also includes unnecessary network communications whose
consequence may be the loss of data.
O.PROTECTED_COMMS To address both passive (eavesdropping) and active (packet
modification) network attack threats, conformant TOEs will use a
trusted channel for sensitive data. Sensitive data includes
cryptographic keys, passwords, and any other data specific to the
application that should not be exposed outside of the application.
The following table contains security objectives for the Operational Environment.
Table 4: Security Objectives for the Operational Environment
Environmental Security Objective Environmental Security Objective Definition
OE.PLATFORM The TOE relies upon a trustworthy computing platform for its
execution. This includes the underlying operating system and any
discrete execution environment provided to the TOE.
OE.PROPER_USER The user of the application software is not willfully negligent or
hostile, and uses the software within compliance of the applied
enterprise security policy.
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
6
OE.PROPER_ADMIN The administrator of the application software is not careless, willfully
negligent or hostile, and administers the software within compliance
of the applied enterprise security policy.
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
7
5 Functional Requirements
As indicated above, requirements in the PP_APP_V1.3 are comprised of the “base” requirements
and additional requirements that are optional, selection-based, or objective. The following table
contains the “base” requirements that were validated as part of the Gossamer Security Solutions
evaluation activities referenced above.
Table 5: Base Requirements
Requirement Class Requirement Component Verified By
FCS:
Cryptographic
Support
FCS_CKM_EXT.1: Cryptographic Key Generation
Services
Samsung Knox File Encryption 1.0
FCS_RBG_EXT.1: Random Bit Generation
Services
Samsung Knox File Encryption 1.0
FCS_STO_EXT.1: Storage of Credentials Samsung Knox File Encryption 1.0
FDP: User Data
Protection
FDP_DAR_EXT.1: Encryption of Sensitive
Application Data
Samsung Knox File Encryption 1.0
FDP_DEC_EXT.1: Access to Platform Resources Samsung Knox File Encryption 1.0
FDP_NET_EXT.1: Network Communications Samsung Knox File Encryption 1.0
FMT: Security
Management
FMT_CFG_EXT.1: Secure by Default
Configuration
Samsung Knox File Encryption 1.0
FMT_MEC_EXT.1: Supported Configuration
Mechanism
Samsung Knox File Encryption 1.0
FMT_SMF.1: Specification of Management
Functions
Samsung Knox File Encryption 1.0
FPR: Privacy FPR_ANO_EXT.1: User Consent for Transmission
of Personally Identifiable Information
Samsung Knox File Encryption 1.0
FPT: Protection of
the TSF
FPT_AEX_EXT.1: Anti-Exploitation Capabilities Samsung Knox File Encryption 1.0
FPT_API_EXT.1: Use of Supported Services and
APIs
Samsung Knox File Encryption 1.0
FPT_IDV_EXT.1: Software Identification and
Versions
Samsung Knox File Encryption 1.0
FPT_LIB_EXT.1: Use of Third Party Libraries Samsung Knox File Encryption 1.0
FPT_TUD_EXT.1: Integrity for Installation and
Update
Samsung Knox File Encryption 1.0
FTP: Trusted
Path/Channel
FTP_DIT_EXT.1: Protection of Data in Transit Samsung Knox File Encryption 1.0
The following table contains the “Optional” requirements contained in Appendix A, and an
indication of how those requirements were evaluated (from the list in the Identification section
above). If no completed evaluations have claimed a given optional requirement, the VR author has
evaluated it through the completion of the relevant APE work units and has indicated its
verification through “PP Evaluation.”
Table 6: Optional Requirements
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
8
Requirement Class Requirement Component Verified By
FCS:
Cryptographic
Support
FCS_CKM.1(2): Cryptographic Symmetric Key
Generation
Samsung Knox File Encryption 1.0
The following table contains the “Selection-Based” requirements contained in Appendix B, and
an indication of what evaluation those requirements were verified in (from the list in the
Identification section above). If no completed evaluations have claimed a given selection-based
requirement, the VR author has evaluated it through the completion of the relevant APE work
units and has indicated its verification through “PP Evaluation.”
Table 7: Selection-Based Requirements
Requirement Class Requirement Component Verified By
FCS:
Cryptographic
Support
FCS_CKM.1(1): Cryptographic Asymmetric Key
Generation
PP Evaluation
FCS_CKM.1(3): Password Conditioning Samsung Knox File Encryption 1.0
FCS_CKM.2: Cryptographic Key Establishment PP Evaluation
FCS_COP.1(1): Cryptographic Operation –
Encryption/Decryption
Samsung Knox File Encryption 1.0
FCS_COP.1(2): Cryptographic Operation - Hashing PP Evaluation
FCS_COP.1(3): Cryptographic Operation - Signing PP Evaluation
FCS_COP.1(4): Cryptographic Operation – Keyed-
Hash Message Authentication
Samsung Knox File Encryption 1.0
FCS_HTTPS_EXT.1: HTTPS Protocol PP Evaluation
FCS_RBG_EXT.2: Random Bit Generation from
Application
PP Evaluation
FIA: Identification
and Authentication
FIA_X509_EXT.1: X.509 Certificate Validation PP Evaluation
FIA_X509_EXT.2: X.509 Certificate
Authentication
PP Evaluation
FPT: Protection of
the TSF
FPT_TUD_EXT.2: Integrity for Installation and
Update
PP Evaluation
The following table contains the “Objective” requirements contained in Appendix C, and an
indication of what evaluation those requirements were verified in (from the list in the Identification
section above). If no completed evaluations have claimed a given selection-based requirement, the
VR author has evaluated it through the completion of the relevant APE work units and has
indicated its verification through “PP Evaluation.”
Table 8: Objective Requirements
Requirement Class Requirement Component Verified By
FPT: Protection of
the TSF
FPT_API_EXT.2: Use of Supported Services and
APIs
PP Evaluation
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
9
6 Assurance Requirements
The following are the assurance requirements contained in the PP_APP_V1.3.
Table 9: Assurance Requirements
Requirement Class Requirement Component Verified By
ADV:
Development
ADV_FSP.1 Basic Functional Specification Samsung Knox File Encryption 1.0
AGD: Guidance
Documents
AGD_OPE.1: Operational User Guidance Samsung Knox File Encryption 1.0
AGD_PRE.1: Preparative Procedures Samsung Knox File Encryption 1.0
ALC: Life-cycle
Support
ALC_CMC.1: Labeling of the TOE Samsung Knox File Encryption 1.0
ALC_CMS.1: TOE CM Coverage Samsung Knox File Encryption 1.0
ALC_TSU_EXT.1: Timely Security Updates Samsung Knox File Encryption 1.0
ASE: Security Target ASE_CCL.1: Conformance Claims Samsung Knox File Encryption 1.0
ASE_ECD.1: Extended Components Definition Samsung Knox File Encryption 1.0
ASE_INT.1: ST Introduction Samsung Knox File Encryption 1.0
ASE_OBJ.1: Security Objectives Samsung Knox File Encryption 1.0
ASE_REQ.1: Security Requirements Samsung Knox File Encryption 1.0
ATE: Tests ATE_IND.1: Independent Testing – Sample Samsung Knox File Encryption 1.0
AVA: Vulnerability
Assessment
AVA_VAN.1: Vulnerability Survey Samsung Knox File Encryption 1.0
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
10
7 Results of the Evaluation
Note that for APE elements and work units that are identical to ASE elements and work units, the
lab performed the APE work units concurrent to the ASE work units.
Table 10: Evaluation Results
APE Requirement Evaluation Verdict Verified By
APE_CCL.1 Pass Samsung Knox File Encryption 1.0
APE_ECD.1 Pass Samsung Knox File Encryption 1.0
APE_INT.1 Pass Samsung Knox File Encryption 1.0
APE_OBJ.2 Pass Samsung Knox File Encryption 1.0
APE_REQ.2 Pass Samsung Knox File Encryption 1.0
APE_SPD.1 Pass Samsung Knox File Encryption 1.0
PP for Application Software, Version 1.3 Validation Report, 31 January 2020
11
8 Glossary
The following definitions are used throughout this document:
• Common Criteria Testing Laboratory (CCTL). An IT security evaluation facility
accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and
approved by the CCEVS Validation Body to conduct Common Criteria-based evaluations.
• Conformance. The ability to demonstrate in an unambiguous way that a given implementation
is correct with respect to the formal model.
• Evaluation. The assessment of an IT product against the Common Criteria using the Common
Criteria Evaluation Methodology as interpreted by the supplemental guidance in the
PP_APP_V1.3 Evaluation Activities to determine whether or not the claims made are justified.
• Evaluation Evidence. Any tangible resource (information) required from the sponsor or
developer by the evaluator to perform one or more evaluation activities.
• Target of Evaluation (TOE). A group of IT products configured as an IT system, or an IT
product, and associated documentation that is the subject of a security evaluation under the
CC.
• Validation. The process carried out by the CCEVS Validation Body leading to the issue of a
Common Criteria certificate.
• Validation Body. A governmental organization responsible for carrying out validation and for
overseeing the day-to-day operation of the NIAP Common Criteria Evaluation and Validation
Scheme.
PP for Application Software, Version 1.3 Validation Report, 27 December 2019
12
9 Bibliography
The Validation Team used the following documents to produce this VR:
[1] Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 1: Introduction and General Model, Version 3.1,
Revision 5, dated: April 2017.
[2] Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 2: Security Functional Requirements, Version 3.1,
Revision 5, dated: April 2017.
[3] Common Criteria Project Sponsoring Organisations. Common Criteria for Information
Technology Security Evaluation: Part 3: Security Assurance Requirements, Version 3.1,
Revision 5, dated: April 2017.
[4] Common Criteria Project Sponsoring Organisations. Common Evaluation Methodology for
Information Technology Security, Version 3.1, Revision 5, dated: April 2017.
[5] Common Criteria, Evaluation and Validation Scheme for Information Technology
Security, Guidance to Validators of IT Security Evaluations, Scheme Publication #3,
Version 3.0, May 2014.
[6] Protection Profile for Application Software, Version 1.3, 01 March 2019.
[7] Samsung Electronics Co., Ltd. Samsung Knox File Encryption
(PP_APP_V1.3/MOD_FE_V1.0) Security Target, Version 0.5, 06 December 2019
[8] Assurance Activity Report (ASPP13/FEM10) for Samsung Electronics Co., Ltd. Samsung
Knox File Encryption, Version 0.5, 06 December 2019