MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

Transcription

1 REF: INF-357 V1.0 Distribution: Public Date: Created: CERT8 Reviewed: TECNICO Approved: JEFEAREA CERTIFICATION REPORT FOR Microsoft SDK for Open XML Formats v1.0 Dossier: Ms SDK for Open XML Formats v1.0 References: EXT-479 Certification Request of Ms SDK for Open XML Formats v1.0 EXT-747 Evaluation Technical Report of Ms SDK for Open XML Formats v1.0, 9 th March 2009, v2.0, Epoche & Espri CCRA Arrangement on the Recognition of Common Criteria Certificates in the field of Information Technology Security, May Certification Report of the product Ms SDK for Open XML Formats, OpenXMLSDK.msi, version 1.0, with certification request reference [EXT-479], of 27 th January 2008, and evaluated by the laboratory Epoche & Espri, according to [CCRA], as described in the evaluation technical report [EXT-747] received on 1 st April Página 1 de 12

2 Table Of Contents SUMMARY... 3 TOE SUMMARY... 4 SECURITY ASSURANCE REQUIREMENTS... 4 SECURITY FUNCTIONAL REQUIREMENTS... 5 IDENTIFICATION... 6 SECURITY PROBLEM... 6 OPERATIONAL ENVIRONMENT OBJECTIVES... 6 TOE ARCHITECTURE... 7 PHYSICAL SCOPE... 7 LOGICAL SCOPE... 7 DOCUMENTS... 8 TOE TESTING... 9 TOE CONFIGURATION... 9 EVALUATION RESULTS... 9 COMMENTS & RECOMMENDATIONS FROM THE EVALUATION TEAM... 9 CERTIFIER RECOMMENDATIONS GLOSSARY BIBLIOGRAPHY SECURITY TARGET Página 2 de 12

3 Summary This document represents the Certification Report for certification dossier of product Microsoft SDK for Open XML Formats, v1.0. The TOE is a set of.net libraries that implements the creation of Office Open XML compliant electronic documents, their electronic signature and packaging in accordance with the Office Open XML Open Packaging Conventions, and the reverse operation of unpackaging, electronic signature verification and Office Open XML validation. The TOE may be used by any third party developer that may wish to add the TOE capabilities to their third party products Developer/manufacturer: Microsoft Corporation Sponsor: Microsoft Ibérica Certification Body: Centro Criptológico Nacional (CCN) del Centro Nacional de Inteligencia (CNI). ITSEF: Epoche & Espri Protection Profile: none Evaluation Level: CC v3.1 EAL1 Evaluation end date: 10 th March 2009 Taking into account the results obtained in the Security Analysis performed in every aspect covered by the evaluation activities, and the verdicts assigned to each class; it has been concluded that: The TOE Ms SDK for Open XML Formats, OpenXMLSDK.msi, version 1.0 does fulfil all the requirements specified in its Security Target, and therefore, the laboratory Epoche & Espri assigns the verdict PASS to the evaluation. Therefore, the Spanish Certification Body proposes the approving resolution of the requested certification Página 3 de 12

4 TOE Summary The TOE is a set of libraries that implement the Office Open XML Open Packaging Conventions (OPC). These libraries are available as a SDK for Open XML Formats, provided by Microsoft. The TOE, based on.net technology, allows creating a valid Office Open XML document, to electronically sign it, and to compose a package according to the Open Packaging Conventions. Office Open XML is an open standard for word-processing documents, presentations, and spreadsheets that can be freely implemented by multiple applications on different platforms. OpenXML is designed to faithfully represent existing word-processing documents, presentations, and spreadsheets that are encoded in binary formats defined by Microsoft Office applications. An OpenXML file is stored in a ZIP archive for packaging and compression. The structure of any OpenXML file can be viewed using a ZIP viewer. Structurally, an OpenXML document is an Open Packaging Conventions (OPC) package composed of a collection of parts. The relationships between the parts are themselves stored in parts. The ZIP format supports random access to each part. The parts in an OpenXML package are created as XML markup. Because XML is structured plain text, the contents of a part can be viewed using text readers or can be parsed using processes such as XPath. Security Assurance Requirements The product was evaluated with all the evidences needed to satisfy the extent defined by the evaluation assurance level EAL1, according to the section 3 of CC v3.1 r2. ASE_INT.1 ASE_CCL.1 ASE_OBJ.1 ASE_ECD.1 ASE_REQ.1 ASE_TSS.1 AGD_OPE.1 AGD_PRE.1 ST Introduction Conformance claims Security objectives for the operational environment Extended components definition Stated security requirements TOE summary specification Operational user guidance Preparative procedures Página 4 de 12

5 ALC_CMC.1 ALC_CMS.1 ADV_FSP.1 ATE_IND.1 AVA_VAN.1 Labelling of the TOE Parts of the TOE CM coverage Basic functional specification Independent testing - conformance Vulnerability survey Security Functional Requirements The security functionality of the product Security Operating System satisfies the following functional requirements according to the section 2 of CC v3.1 r2: FDP_DAU.1 Basic Data Authentication Página 5 de 12

6 Identification Product: Ms SDK for Open XML Formats, OpenXMLSDK.msi, v1.0 Security Target: OpenXML Open Packaging Low Assurance Security Target, v2.0 March, the 2 nd Protection Profile: none Evaluation Level: CC v3.1 r2 EAL1 Security Problem On a low assurance ST, there is no need to describe the security problem definition but the security objectives for the operational environment shall still be described. Operational environment objectives The following objectives are covered by the environment: Objective 01: SIGNATURE KEYS AND CERTIFICATES The operational environment of the TOE is in charge of maintaining the signature keys under the sole control of the signatory of the Open Office XML document, and also in charge of maintaining the integrity of the public certificates required to validate a signed Open Office XML document. Objective 02: CRYPTO SERVICES The operational environment of the TOE is the provider of the cryptographic services that the TOE invokes to perform the digital signature creation and verification of the Open Office XML documents. The TOE does not prefer any cryptographic algorithm or key length, but uses one of the many provided by the operational environment cryptographic services, as selected by the user. Note that the strength of the cryptographic algorithms is out of the scope of the Common Criteria certification. Página 6 de 12

7 TOE Architecture Physical scope Due to TOE nature (software product), there is no physical boundary. Logical scope The product performs two independent tasks the package creation and the signature creation and validation each of one can be addressed by a separate framework as shown below: OPEN XML package creation a) To create an OPEN XML package, two approaches may be applied: Microsoft.Office.DocumentFormat.OpenXml.Packaging Namespace (is in an external assembly that may be download and install - the classes are in the Microsoft.Office.DocumentFormat.OpenXml assembly. System.IO.Packaging Namespace (System.IO.Packaging is part of the.net Framework 3.0 and The classes are in the WindowsBase assembly). b) Sign and validate signatures: To sign and validate signatures, applications can use the.net 3.5 classes PackageDigitalSignatureManager. The package-specific classes, defined in the System.IO.Packaging namespace, build on the digital signature classes of the Microsoft.NET 3.5 Framework defined in the System.Security.Cryptography namespace. The PackageDigitalSignatureManager class is used for creating and validating signatures, and placing the signature infrastructure in a package. The signature is represented by an object based on the PackageDigitalSignature class. The PackageDigitalSignatureManager class is used for creating and validating signatures, and placing the signature infrastructure in a package. The signature is represented by an object based on the PackageDigitalSignature class. The scope of the evaluation does not include the creation and validation signatures operations but only the construction the Open package. The PackageDigitalSignatureManager class is build on the Página 7 de 12

8 System.Security.Cryptography namespace (external entity Cryptographic Operations in the figure), which in charge of performing the signature operations. This latter is out of the TOE logical scope. The TOE logical boundary is depicted in the following figure (fig 4). Documents The product includes the following documents that must be delivered jointly to the users of the evaluated version. OpenXML Open Packaging Low Assurance Security Target, v2.0, 03/02/2009 App-Guidelines-on-DigSig-Practices-for-CC-Security.doc Download details_ 2007 Office System_ Microsoft SDK for Open...pdf Página 8 de 12

9 TOE Testing The evaluator has designed a set of test following a suitable strategy for the TOE type taking into account: - Importance of the interfaces - Type of interfaces - Number of interfaces For the design of the test the following criteria have been applied: - Interaction of the TSFIs with critical parameters - Exhaustive testing of critical TSFIs - Suspected malfunction with certain input parameters It has been defined test cases for each method belonging to each TSFI group. TOE Configuration The product is delivered as a auto-installation package (OpenXMLSDK.msi) with no configuration options. Evaluation Results Taking into account the results obtained in the Security Analysis performed in every aspect covered by the evaluation activities, and the verdicts assigned to each class; it has been concluded that: (A) The TOE Microsoft SDK for Open XML Formats. OpenXMLSDK.msi v 1.0. (OPC 1.0) fulfils all the requirements specified in its Security target: OpenXML Open Packaging Low Assurance Security Target, v2.0 March, the 2 nd 2009, and therefore, (B) the verdict PASS is assigned to the evaluation, (C) recommending to the Certification Body, the certificate granting. Comments & Recommendations from the Evaluation Team This section describes several important aspects that could influence the use of the product, taking into account the scope of the findings of the evaluation. Página 9 de 12

10 Recommendations and guidelines included in [APGUI] and [MSDN] are strongly recommended to be followed by the developers using the API, taking into account: Signed links to external objects within the package are not integrity guaranteed. Only the URL content is signed and therefore, the content within the remote object may be modified and remain undetected. This can be warned to the user (as described in [APGUI]). For documents which content includes executable code (e.g. macros), the signature applies to the source code instead of the execution result, and therefore the execution of the embedded code could produce a new document content, undetected in the signature validation (already performed). This can be warned to the user (as described in [APGUI]). When partial signatures of a package (a OPC feature) it would be possible to include another signed element anywhere in the document. This can be warned to the user (as described in [APGUI]). Where the integrity of the signature is demonstrated not to be ensured, regarding the values associated to the informational elements KeyName and KeyValue as part of the KeyInfo field, the application should not make any assumption in respect to the validity of these two elements as they are not processed as part of the signature validation. As included in [MSDN] recommendation is given not using them. To avoid undetected modification and possible confusion, applications should use the InCertificatePart option rather than InSignaturePart. The InCertificatePart option does not provide or expose either KeyName or KeyValue. Certifier Recommendations Taking into account the results obtained during the certification of the product Ms SDK for Open XML Formats, OpenXMLSDK.msi, v1.0 the Spanish Certification Body proposes the approving resolution of the requested certification. Glossary CCN CB OPC IT PC TOE Centro Criptológico Nacional Certification Body Open Packaging Conventions Information Technology Personal Computer Target of Evaluation Página 10 de 12

11 GUI Graphical User Interface Página 11 de 12

12 Bibliography The following rules and documents have been used during the product evaluation: [CC_P1] Common Criteria for Information Technology Security Evaluation- Part 1: Introduction and general model, Version 3.1, r1, September [CC_P2] Common Criteria for Information Technology Security Evaluation Part 2: Security functional requirements, Version 3.1, r1, September [CC_P3] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements, Version 3.1, r1, September [CEM] Common Evaluation Methodology for Information Technology Security: Introduction and general model, Version 3.1, r1, September Security Target In addition to this report, the Security Target is available at the Certification Body: OpenXML Open Packaging Low Assurance Security Target, v2.0 March, the 2 nd Página 12 de 12