Nexbis Sdn. Bhd. NexCode National Security Suite Release 3. Security Target Version 8.4

Transcription

1 Nexbis Sdn. Bhd. NexCde Natinal Security Suite Release 3 Security Target Versin th May 2011

2 DOCUMENT HISTORY Versin Number Versin Date Change Details Initial draft Revised cpy Replaced image, numbered table and rearranged indentatin Minr updates Updated physical diagram Overall updates Overall revisin Overall revisin based n latest ERR1-d1b and ERR2-d Transfer f ST authrship t Drexx Laggui <[email protected]> frm Juliet Li. - Edited minr typgraphical errrs. - Added A.TIME and OE.TIME t satisfy FPT_STM.1 Minr updates n the fllwing: Overall dcument frmatting; Table f cntents; Replaced figure 4. Minr updates n the fllwing: Edited Sectin as per advice; Updated with Sectin 2.2.2; Fixed varius numbering and frmatting issues; Inserted the wrd "cnsecutive" in the descriptin fr ITSF.RETRY.FAIL; Remved all instances and references t FIA_UAU.1; Crrected dependencies fr FCS_COP.1(2):MD5 and FCS_COP.1(3):VeriSign; Updated ST fr cmpliance t dcument cnventins fr SFRs; Clarified ITSF.RETRY_FAIL in TSS; Clarified ratinale fr FIA_UID.2; Edited T.SYS_FAIL t clarify threat agent in statement; Standardized Table 4 as per advice. - Transfer f authrship frm Drexx Laggui t Michael Dalud ([email protected])

3 - Updates n the fllwing: Changed ST Title in sectin 2.1 (ST and TOE Reference) t crrespnd with Frnt Page Title. Identified TOE as a sftware system in Sectin 2.1 (TOE Overview) t crrespnd with Sectin (TOE Type). Re-wrte TOE Overview text Remved text highlighting (bldface) t avid cnfusin. Edited paragraphs t be mre understandable t cnsumers. Specified the lcatin f the list f hardware, sftware, and guidance parts that cnstitute the TOE. Edited and highlighted (bldface) text t clarify that the areas surrunded by the dashed lines represent the physical scpe f the TOE. Security functin descriptins have been integrated int crrespnding TOE scpe descriptins. Edited sectin Omitted lengthy explanatins as per evaluatr's advice. P.FAIL_HD remved due t the reduced scpe f the TOE. OE.PHYST integrated int OE.PHYSEC as recmmended by evaluatr. O.FAILOVER remved due t the reduced scpe f the TOE. Effects n threats and plicies are nw specified fr each claim. T.SYS_FAIL remved due t the reduced scpe f the TOE. OE.FAILHD remved due t the reduced scpe f the TOE Edited paragraphs in Sectin t fcus nly n descriptins f TOE cmpnents Added FCS_CKM.1 and FCS_CKM.4 t Sectin n Te Security Functinal Requirements and t Table 7 Edited Sectin 8 fr clarity and cnsistency. Edited Sectin n SFR Dependency Ratinale (Table 12) fr clarity n unsatisfied dependencies Added checksum t Terminlgies sectin Edited FCS_CKM.1(1) and FCS_CKM.4(1) t FCS_CKM.1 and FCS_CKM.4 respectively Edited FCS_COP.1, FCS_COP.2 and FCS_COP.3 fllwing CR_001 frm MyCB Remved marketing wrds as mentined in CR_001 frm MyCB frm TOE Overview Made the fllwing amendment:-

4 Deleted the wrd innvative in the first paragraph f TOE Overview. Remved is designed t address the ver increasing need frm the secnd paragraph f TOE Overview. Updated the term different departments t external verificatin database f TOE Type. Remved clustered server implementatin frm all relevant sectins: (Figure 1 and text) and (Figure 2, text, Table 2(1), Table 2(2) and Table 3). Changed sectin t fllw the Preparative prcedure and Operatinal prcedure file names. Under sectin 7.2, edited the term t user passwrd instead. The term administrative user passwrd basically refers t a passwrd generated during when an administratr creates a user accunt using the TOE. It has nthing really much relate t the type f user. Under sectin 7.2, edited the term administrative user t administratr. Is FMT_SMR necessary t include? Under sectin 7.2, amended TSF data t TOE data instead. Inserted an applicatin ntes t indicate the meaning f the term TOE data. Under sectin 7.2, edited the term administrative user t administratr since ultimately the term is referring t an administratr. Under sectin 7.2, expanded the audit infrmatin t all audit infrmatin (lgin, lgut, view, search, add, update, delete and its timestamp) Under sectin 7.2, changed the cnfigurable inactivity t the fllwing phrase:- [15 minutes by default r ther specified time interval f user inactivity set by an authrized administratr] instead. Under sectin 7.2, changed the term 'AES PRNG t its fuller term AES Pseudrandm Number Generatr instead. The term is

5 referring t the algrithm used in the cryptgraphy fr generating a sequence f numbers that apprximates the prperties f randm numbers. Under sectin 7.2, mdified t change t AES cryptgraphic key destructin with standard as FIPS 197 (AES) instead. Under sectin 7.2, appended applicatin nte as stated. Added back sectin renumbering t every parts f dcument. Added Cryptgraphic key management (FCS_CKM) family t Table 5 under sectin 7.1. Made several changes based n feedback frm evaluatrs n the last rund f prgress meeting with Cybersecurity (20/10/2010): Amended sectin Lgical Scpe f the TOE descriptin under security functin Identificatin and Authenticatin t nly mentin TOE instead f specifying the items. Updated sectin FIA_ATD.1 t include grup rle and rights. Remved FCS_COP.1(2) MD5 and all references t it (TSF, Security Objective, threat mappings and FTP_TRP.1 and all references t it.

6 Table f Cntents 1 DOCUMENT INTRODUCTION Dcument Cnventins Terminlgies References Dcument Organizatin INTRODUCTION ST and TOE Reference TOE Overview TOE Type Required nn-toe hardware, sftware, r firmware TOE Descriptin Physical Scpe f the TOE Operatinal Envirnment f the NexCde Natinal Security Suite Physical Scpe f the TOE (Cmpnents) CONFORMANCE CLAIMS Cmmn Criteria Claims TOE SECURITY PROBLEM DEFINITION Assumptin Threats Assets Prtected by the TOE Threats against the TOE Organizatinal Security Plicies TOE SECURITY OBJECTIVES Security Objective fr the TOE Security Objective fr the Envirnment ETENDED COMPONENTS DEFINITION IT SECURITY REQUIREMENTS Overview TOE Security Functinal Requirements TOE Security Assurance Requirements TOE SUMMARY SPECIFICATION Overview Security Functins RATIONALE Cnfrmance Claims Ratinale Security Objectives Ratinale Security Objectives fr the TOE Security Objectives fr the Operatinal Envirnment Security requirements ratinale Tracing f SFR t Security Objectives Tracing f Security Objectives t Security Prblem Definitin SFR Dependency Ratinale SAR Justificatin... 48

7 1 DOCUMENT INTRODUCTION 1.1 DOCUMENT CONVENTIONS The fllwing cnventins have been applied in this dcument: Security Functinal Requirements Part 2 f the CC defines the apprved set f peratins that may be applied t functinal requirements: assignment, selectin, and iteratin. 1. The refinement peratin is used t add detail t a requirement, and thus further restricts a requirement. Refinement f security requirements is dented by bld underlined text. Refinement fr taking ut a security requirement within the SFR s is dented by bld strikethrugh text in red clr fnt. 2. The selectin peratin is used t select ne r mre ptins prvided by the CC in stating a requirement. Selectins are dented by italicized text in square brackets, [selectin value]. 3. The assignment peratin is used t assign a specific value t an unspecified parameter, such as the length f a passwrd. Assignment is indicated by shwing the value in square brackets, [assignment value]. 4. The iteratin peratin is used when a cmpnent is repeated with varying peratins. Iteratin is dented by shwing the iteratin number in parenthesis fllwing the cmpnent identifier, (iteratin number). 1.2 TERMINOLOGIES Table 1: Terminlgies and Meanings Terminlgy CC FIPS PUB EAL PP SAR SFR ST TOE TSC TSF TSP Meaning Cmmn Criteria Federal Infrmatin Prcessing Standards Publicatin Evaluatin Assurance Level Prtectin Prfile Security Assurance Requirements Security Functinal Requirements Security Target Target f Evaluatin TSF Scpe f Cntrl TOE Security Functin TOE Security Plicy

8 TSS auditr checksum diminish mitigate system administratr TOE Summary Specificatin a persn appinted t cllect and evaluate evidence f an rganizatin's infrmatin systems, practices, and peratins; the evaluatin f btained evidence determines if the infrmatin systems are safeguarding assets, maintaining data integrity, and perating effectively t achieve the rganizatin's gals r bjectives. als knwn as hash value r hash sum, is a value derived frm the bits f a blck f digital data that is calculated befre and after transmissin r strage t gain assurance that the data is free frm errrs r tampering t reduce r lessen t make less severe r less harsh a persn emplyed t maintain and perate a cmputer system and/r netwrk. 1.3 REFERENCES Cmmn Criteria Part 1 Versin 3.1 Revisin 3 Cmmn Criteria Part 2 Versin 3.1 Revisin 3 Cmmn Criteria Part 3 Versin 3.1 Revisin 3 Cmmn Methdlgy fr Infrmatin Technlgy Security Evaluatin (CEM) versin 3.1 Revisin DOCUMENT ORGANIZATION This ST cntains: TOE Descriptin: Prvides an verview f the TOE and describes the physical and lgical scpe fr the TOE TOE Security Prblem Definitin: Describes the threats, rganizatinal security plicies, and assumptins that pertain t the TOE and the TOE envirnment. TOE Security Objectives: Identifies the security bjectives that are satisfied by the TOE and the TOE envirnment. TOE Security Functinal Requirements: Presents the Security Functinal Requirements (SFRs) met by the TOE TOE Security Assurance Requirement: Presents the Security Assurance Requirements (SARs) met by the TOE TOE Summary Specificatin: Describes the security functins prvided by the TOE t satisfy the security requirements and bjectives Ratinale: Presents the ratinale fr the security bjectives, requirements, and the TOE summary specificatins as t their cnsistency, cmpleteness, and suitability

9 2 INTRODUCTION 2.1 ST AND TOE REFERENCE ST Title NexCde Natinal Security Suite, Release 3 - Security Target ST Versin Versin 8.4, 20 th May 2011 TOE Identificatin NexCde Natinal Security Suite, Release 3 CC Identificatin Cmmn Criteria versin 3.1 Assurance Level EAL2 ST Authr Michael Dalud Keywrd TOE 2.2 TOE OVERVIEW The target f evaluatin is the NexCde Natinal Security Suite, a sftware system that utilizes mbile telephne technlgy with real-time infrmatin access t enhance the security f identificatin and authenticatin f dcuments. Using NexCde, a prprietary 2D barcde, the NexCde Natinal Security Suite prvides real-time infrmatin access and infrmatin sharing using standard camera-enabled mbile phnes, and is secured with encryptin. The user scans the NexCde printed n an individual s identificatin dcument (even phtcpied dcuments) via a mbile phne equipped with NexCde sftware t verify the infrmatin against the centralized surce data. This surce is crss-linked t ther databases, enabling accuracy f a persn s identificatin. Every transactin takes nly secnds and is updated in the system reprts. The NexCde Natinal Security Suite is fr fast and reliable identity authenticatin, dcument security, fraud detectin, and varius ther scenaris requiring identificatin enfrcement. The TOE has multiple cmpnents, each having a distinct functin. These cmpnents are: The NexCde Inventry System fr generating NexCde barcdes and ensuring secure transfer f generated NexCde barcde images int the NexCde Lad System; The NexCde Lad System fr managing successfully transferred inventry lad files fr the NexCde Cntrl Centre System; The NexCde Cntrl Centre System fr managing user and grup access cntrl and peratin cnfiguratin; The NexCde Gateway System fr managing secure cmmunicatin with the mbile client r the desktp client; The NexCde Mbile Applicatin fr scanning and decding Nexcde barcdes thrugh mbile phnes. The NexCde Desktp Applicatin fr scanning and decding Nexcde barcdes thrugh desktp cmputers.

10 The security functins prvided by the TOE include the fllwing: Identificatin and Authenticatin: Lgin and user grup identificatin and authenticatin implemented with unique username and authenticated passwrd having access rights cntrlled by the user grup User lgin blcked after three attempts f incrrect passwrd in accessing NexCde Cntrl Centre System Cryptgraphic Supprt Use f AES encryptin in securing cmmunicatins channels between the TOE Gateway Server and the mbile client r the desktp client The NexCde Mbile Applicatin is signed and verified using VeriSign Security Audit Data Generatin Audit trail and lgging n the NexCde Cntrl Centre System, the NexCde Mbile Applicatin and the NexCde Desktp Applicatin Prtectin f the TOE Security Functins Use f Secure FTP (SFTP) t secure data transfer f TOE inventry files cmpsed f NexCde 2D barcde images frm the TOE Inventry Server t the TOE Lad Server TOE Access User sessin idle time-ut within the NexCde Cntrl Centre Web applicatin upn a cnfigured idle time.

11 2.2.1 TOE Type This TOE is the NexCde Natinal Security Suite, a sftware system fr crss-referencing f infrmatin fr enfrcement and authenticatin needs. Due t its currently unique nature and peratin, its type is further described belw: Using a Webcam r a standard camera-equipped mbile phne, the user can scan identificatin dcuments that have a prprietary barcde, called Nexcde, printed n them. The NexCde Natinal Security Suite can then be used t request infrmatin regarding authenticity, validity, and identity. Requests fr infrmatin are transacted in real-time frm the external verificatin database, and the NexCde Natinal Security Suite ensures that accurate and valid infrmatin is given t the user within nly a few secnds after the request. Fr security, sending and receiving f data is dne ver encrypted cnnectins. The user is required t lg in with the apprpriate user name and passwrd t use the system. The NexCde Natinal Security Suite determines the level f access t privileged infrmatin accrding t the user s identity. Fr audit purpses and accuntability, user actins using the NexCde Natinal Security Suite are recrded. T aid in management, built-in reprting tls facilitate the viewing f usage and perfrmance infrmatin Required nn-toe hardware, sftware, r firmware The TOE is a sftware prduct that is installed n an AMD r Intel-based CPU hardware platfrm, in cmbinatin with an perating system (OS) and 3rd-party sftware applicatins. Details are expanded in Sectin The perating system platfrms supprted are: Micrsft Windws 2003 Server (standard and enterprise editins) pensuse Linux versin 10.2 The required 3rd-party applicatin systems include: Apache Tmcat versin Java ME with MIDP 2.0 r abve and CLDC 1.1 r abve Java Media Framewrk 2.1 Java Runtime Envirnment 6.0 Java SDK versin JBss applicatin server versin Jetty web server versin MS Internet Explrer 7.0 / 8.0 MySQL versin

12 2.3 TOE DESCRIPTION Physical Scpe f the TOE The fllwing subsectins describe the peratinal envirnment f the NexCde Natinal Security Suite, physical scpe f the TOE, and the relevant hardware r sftware structures Operatinal Envirnment f the NexCde Natinal Security Suite Figure 1: Operatinal Envirnment f the NexCde Natinal Security Suite The hardware, sftware, and guidance parts that cnstitute the TOE are enumerated in the tables in Sectins and There are n firmware parts fr the TOE.

13 Physical Scpe f the TOE (Cmpnents) The areas surrunded by the dashed lines represent the physical scpe f the TOE (the NexCde Natinal Security Suite) in Figure 2. Details fr each cmpnent are prvided in the paragraphs fllwing the figure. Figure 2: Physical Scpe f the NexCde Natinal Security Suite (areas surrunded by dashed lines) The NexCde Inventry System manages generatin f TOE inventry files (NexCde 2D barcde images) and inventry reprts. The TOE applicatin server (JBss 4.2.3), the TOE Web server (Jetty ) and the TOE database server (MySQL ) all reside in a single physical server named Inventry Server. The NexCde Lad System handles inventry lading and stres the TOE inventry files fr the NexCde Cntrl Centre System. The Lad Server manages strage and reference f TOE inventry files in a single physical server thrugh UNI-based scripts. The NexCde Cntrl Centre System manages the TOE inventry files in the Lad Server, and handles the encryptin f user passwrds befre they are stred int the database. The NexCde Cntrl Centre System is the cmpnent f the TOE that prvides users with a Web applicatin frnt-end fr lg-in, as well as fr administratin and cnfiguratin functins. Thrugh this frnt-end, authrized users can als read varius TOE user lg reprts in rder t mnitr and audit the usage f the TOE system.

14 The lg infrmatin used fr reprting and audit trails is stred within a database in the Cntrl Centre Database server. The nn-toe External Verificatin Database Server is the surce database frm where data request is retrieved via the Surce Adapter Server cnnected t the NexCde Cntrl Centre System. The NexCde Gateway System handles data encryptin, ruting and cnnectin between the gateway with the mbile client r the desktp client. The NexCde Mbile Applicatin handles mbile user functinality, scanning, and decding thrugh the mbile client. The NexCde Desktp Applicatin handles desktp user functinality, scanning, and decding thrugh the desktp client. The nn-toe Backup Server and nn-toe Tape Library strage device bth handle peridic data backup n TOE NexCde Gateway Database Server and TOE Cntrl Centre Database Server, including files backed up frm the TOE Lad Server. Data and files frm each TOE server are first backed up t the Backup Server befre utputting t a tape library as an external strage. The nn-toe Integrated Printer handles printing f the NexCde 2D barcde image nt each security dcument with a unique serial number.

15 The sftware cnfiguratin f the TOE is shwn in Table 2. The TOE will perate crrectly and reliably in the sftware cnfiguratin identified in the table. Table 2(1): Sftware Cnfiguratin f the TOE Equipment Name Vendr Name Prduct Name Type Inventry Server Nexbis NexCde Natinal Security Suite Inventry Management Release 3 Back-end cre and frnt-end web applicatin sftware Lad Server Nexbis NexCde Natinal Security Suite Lad Server Release 3 Applicatin scripting sftware Cntrl Centre Web Server Nexbis NexCde Natinal Security Suite Cntrl Centre Release 3 (Web) Frnt-end web applicatin sftware Cntrl Centre Applicatin Server Nexbis NexCde Natinal Security Suite Cntrl Centre Release 3 (Cre) Back-end cre applicatin sftware Gateway Applicatin Server Nexbis NexCde Natinal Security Suite Gateway Server Release 3 (Cre) Back-end cre applicatin sftware Desktp Client Nexbis NexCde Natinal Security Suite Desktp Applicatin Release 3 Desktp applicatin sftware

16 Mbile Client Nexbis NexCde Natinal Security Suite Mbile Applicatin Release 3 Mbile applicatin sftware Table 2(2): Sftware Cnfiguratin, nn-toe Equipment Name Vendr Name Prduct Name Type JBss JBss applicatin server versin Applicatin server Jetty Jetty web server versin Web server Micrsft I.E 7.0 Web brwser Inventry Server Sun Micrsystems MySQL versin Database Linux pensuse Linux versin 10.2 Operating system Sun Micrsystems Java SDK versin System Develpment Kit

17 Lad Server Linux pensuse Linux versin 10.2 Operating system Jetty Jetty web server versin Web server Micrsft I.E 7.0 Web brwser Cntrl Centre Web Server Linux pensuse Linux 10.2 Operating system Sun Micrsystems Java SDK versin System Develpment Kit Sun Micrsystems MySQL versin Database JBss JBss applicatin server versin Applicatin server Cntrl Centre Applicatin Server Linux pensuse Linux 10.2 Operating system

18 Sun Micrsystems Java SDK versin System Develpment Kit Sun Micrsystems MySQL versin Database Cntrl Centre Database Server Linux pensuse Linux 10.2 Operating system JBss JBss applicatin server versin Applicatin server Gateway Applicatin Server Linux pensuse Linux 10.2 Operating system Sun Micrsystems Java SDK versin System Develpment Kit Sun Micrsystems MySQL versin Database Gateway Database Server Linux pensuse Linux 10.2 Operating system

19 Sun Micrsystems Java Runtime Envirnment 6.0 Java virtual machine and library Desktp Client Sun Micrsystems Java Media Framewrk 2.1 Java library Mbile Client Sun Micrsystems Java ME with MIDP 2.0 and CLDC 1.1 Device platfrm Table 3 belw shws the hardware cnfiguratin f the TOE f which the TOE will perate crrectly and reliably in the hardware cnfiguratin identified in the table. Table 3: Hardware Cnfiguratin f the TOE Server Specificatins Descriptin Prcessr 1x Intel Quad-Cre en 3Ghz Inventry Server Memry 16 GB RAM Disk Drive 2x 146GB SAS 15K RAID1 & 3TB SAN Strage Prcessr 1x Intel Dual-Cre en 3Ghz Lad Server Memry 16 GB RAM Disk Drive 2x 146GB SAS 15K RAID1 & 1TB SAN Strage Prcessr 1x Intel Quad-Cre en 3Ghz Cntrl Centre Web Memry 16 GB RAM Server Disk Drive 2x 146GB SAS 15K RAID1 Prcessr 2x Intel Quad-Cre en 3Ghz Cntrl Centre Memry 32 GB RAM Applicatin Servers Disk Drive 2x 146GB SAS 15K RAID1 Prcessr 2x Intel Dual-Cre en 3Ghz Cntrl Centre Memry 16 GB RAM Database Server Disk Drive 2x 146GB SAS 15K RAID1 & 1TB SAN Strage Prcessr 1x Intel Quad-Cre en 3Ghz Gateway Applicatin Memry 16 GB RAM Server Disk Drive 2x 146GB SAS 15K RAID1 Prcessr 1x Intel Dual-Cre en 3Ghz Gateway Database Memry 16 GB RAM Server Disk Drive 2x 146GB SAS 15K RAID1

20 Desktp Client Mbile Client Prcessr 1x Intel Du Cre 2.7Ghz Memry 2 GB RAM Disk Drive 160GB Camera Web Cam Screen 128x160 Pixels CLDC v1.1 MIDP v2.0 JSR Supprt JSR-135 (Mbile Media API) fr image scanning Camera VGA Memry 250 kbytes Data Access GPRS/3G/EDGE Physical Scpe f the TOE (Guidance) The fllwing TOE guidance manuals are prvided: Preparative Prcedure Nexbis-NSS-r3_AGD-PRE_EAL2_ver1.1.dc Operatinal User Guidance Nexbis-NSS-r3_AGD-OPE_EAL2_ver1.1.dc

21 Lgical Scpe f the TOE The TOE scpe descriptin n each TOE security functin is summarized in Table 4 belw. Each TOE security functin is categrized accrding t its functinal requirement class. Table 4: TOE Security Functin map t TOE Scpe Security Functin TOE Scpe Descriptin Identificatin and Authenticatin TOE user and grup access cntrl: ITSF.I&AUT ITSF.RETRY_FAIL TOE user with unique username is authenticated by passwrd with access rights cntrlled by either an individual user r a user grup within the TOE. Three times authenticatin failure: TOE user lgin is blcked upn three cnsecutive attempts f incrrect passwrd entry in accessing NexCde Cntrl Centre System. Cryptgraphic Supprt ITSF.ENCRY_DAT ITSF.SIGN_MOB Encrypted cmmunicatin channel between TOE Gateway Server and enfrcement tls: Data transferred between the TOE Gateway Server and the mbile client r the desktp client is encrypted using AES encryptin. Trusted TOE mbile applicatin: The TOE Mbile Applicatin installed n the mbile client is signed and verified. Security Audit Data Generatin Audit trail and lgging: The fllwing applies t NexCde Cntrl Centre System web applicatin, the NexCde Mbile Applicatin and the NexCde Desktp Applicatin: ITSF.AT&L All TOE user access lgin r lgut is lgged and auditable; All actin taken against any TOE data is lgged and auditable. The IT Envirnment is relied n t prvide reliable time stamps fr use in cllected audit data. Cllected audit data are stred in files in the IT Envirnment, which the TOE relies n t prtect as well.

22 Prtectin f the TOE Security Functin Secure FTP n transferring TOE inventry files: ITSF.SEC_DATA Usage f Secure FTP (SFTP) t transfer generated TOE inventry files (NexCde 2D barcde images) frm the TOE Inventry Server t the TOE Lad Server. TOE Access Lgin sessin idle time-ut: ITSF.TIMEOUT The TOE user lgin sessin is timed-ut within NexCde Cntrl Centre System web applicatin upn a cnfigured idle time (default 15 minutes) t prevent unauthrized TOE users frm accessing it.

23 3 CONFORMANCE CLAIMS 3.1 COMMON CRITERIA CLAIMS The fllwing cnfrmance claims are made fr the TOE and ST: CCv3.1 Rev.3 cnfrmant. The ST and the TOE are Cmmn Criteria cnfrmant t Cmmn Criteria versin 3.1 Revisin 3; Part 2 cnfrmant. The ST is Cmmn Criteria Part 2 cnfrmant; Part 3 cnfrmant. The ST is Cmmn Criteria Part 3 cnfrmant; Package cnfrmant. The ST is package cnfrmant t the package Evaluatin Assurance Level EAL2; Prtectin Prfile cnfrmance. The ST claims cnfrmance t the fllwing Prtectin Prfiles: Nne.

24 4 TOE SECURITY PROBLEM DEFINITION 4.1 ASSUMPTION This sectin describes assumptins that are applied t the TOE and its peratinal envirnment. 1. A.PHY_ACC (physical access) Accessing t data centre and servers kept n server rack requires nly authrized persnnel and system authenticatin. 2. A.TIME (crrect time) The TOE perating envirnment will prvide reliable system time. 4.2 THREATS This sectin describes the assets prtected by the TOE and the threats Assets Prtected by the TOE Types f user data, assets t be prtected by the TOE listed are:- system access cntrl data, the inventry generatin data, enfrcement cnfiguratin data, mbile client r the desktp client enfrcement data, gateway cmmunicatin data and reprting data Threats against the TOE This sectin describes threats against the TOE. 1. T.ILLEGAL_ACCESS (illegal access) An authrized TOE user with administratr privileges may destry r disclse any data r perfrm peratins that are nt authrized fr each user rle such as the fllwing: Creating, updating r deleting f inventry generatin recrds; Creating, updating r deleting f enfrcement and peratin recrds; Registering, updating r deleting existing user r grup privileges; Creating and assigning f new user r grup and its privileges; Viewing f data frm reprts n inventry, peratinal and enfrcement activities.

25 2. T. DATA_INTERCEPT (data interceptin) Experienced hackers may maliciusly listen and tamper: The data alng the cmmunicatin channel between NexCde Gateway Server and the enfrcement tls (the mbile client r the desktp client); The files transferred frm the NexCde Inventry Server t the NexCde Lad Server; The HTTP request fr any web client accessing NexCde Cntrl Centre System. 3. T. BYPASS (authenticatin bypass) Unauthrized persn may successfully vilate the authenticity f rules by succeeding t bypass the authenticatin. 4. T. UNTRUSTED_APP (untrusted applicatin) User may be accessing an un-trusted applicatin which is nt signed and verified. 4.3 ORGANIZATIONAL SECURITY POLICIES This sectin describes rganizatinal security plicies that are applied t the TOE and its peratinal envirnment. 1. P.ADMIN_IDENTIFY (identificatin f an administratr) Authrized System Administratr and the Auditr wh use the TOE are subject t the TOE identificatin t keep a recrd f TOE access lgs. 2. P. AUDIT_LOG (audit lgs) The ability t access the TOE audit lgs is be restricted t the Auditr nly in rder t track unauthrized peratins n the TOE assets t be prtected.

26 5 TOE SECURITY OBJECTIVES 5.1 SECURITY OBJECTIVE FOR THE TOE This sectin defines the IT security bjectives that are t be satisfied by the TOE in cmbinatin with the IT security envirnment. Table 10 in sectin crrelates the TOE security bjectives t each f the threats and security plicies, shwing that each threat is cuntered by at least ne IT security bjective, and that each security plicy is satisfied by at least ne IT security bjective. 1. O.I&A The TOE must prvide lgin and user identificatin and authenticatin by allwing nly authrized username and authenticated passwrd t gain access t the system having access rights cntrlled by either an individual user r a user grup. 2. O. AUDIT_LOG The TOE must prvide the means f generating recrds f security relevant events in sufficient detail t help an administratr f the TOE t trace user activities within the system. 3. O. LOGIN_FAIL The TOE must prevent r blck users t lgin t the system after three attempts f incrrect passwrd. 4. O. ENCRYPT_DATA The TOE must ensure that the data alng cmmunicatin channel between the NexCde Gateway Server and the enfrcement tls (the mbile client r the desktp client) is encrypted using AES encryptin. 5. O. SECURE_DATA The TOE must ensure that the inventry files (NexCde 2D barcde images) transferred frm the NexCde Inventry Server t the NexCde Lad Server is via the Secure FTP (SFTP). 6. O.SIGN_MOB The TOE must ensure that the NexCde Mbile Applicatin is signed and verified using Verisign.

27 7. O. TIMEOUT The TOE must ensure that the user access t the system is timed-ut after a perid f defined idle time. 5.2 SECURITY OBJECTIVE FOR THE ENVIRONMENT 1. OE.PHYSEC The TOE perating envirnment must ensure that the TOE is physically secured and lcated within a secure cntrlled access facility i.e. data centre, which will prevent unauthrized physical access r mdificatin. 2. OE.TIME The TOE perating envirnment must prvide a reliable time surce fr the TOE t prvide accurate timestamps fr audit recrds.

28 6 ETENDED COMPONENTS DEFINITION <This sectin is nt applicable. There is n extended cmpnent.>

29 7 IT SECURITY REQUIREMENTS 7.1 OVERVIEW Table 5: SFR map t Class, Family and Cmpnent Class Family Cmpnent SFR User attribute definitin User attribute definitin FIA_ATD.1.1 (FIA_ATD) (FIA_ATD.1) Authenticatin failures Authenticatin failure FIA_AFL.1.1 (FIA_AFL) handling (FIA_AFL.1) FIA_AFL.1.2 Identificatin and User identificatin User identificatin befre Authenticatin (FIA) FIA_UID.2.1 (FIA_UID) any actin (FIA_UID.2) User authenticatin User authenticatin befre any actin FIA_UAU.2.1 (FIA_UAU) (FIA_UAU.2) Security Audit Data Generatin (FAU) TOE Access (FTA) Cryptgraphic Supprt (FCS) Prtectin f the TSF (FPT) Security audit data generatin (FAU_GEN) Security audit review (FAU_SAR) Security audit event strage (FAU_STG) Sessin lcking and terminatin (FTA_SSL) Cryptgraphic peratin (FCS_COP) Cryptgraphic key management (FCS_CKM) Internal TOE TSF data transfer (FPT_ITT) Time stamps (FPT_STM) Audit data generatin (FAU_GEN.1) User identity assciatin (FAU_GEN.2) Audit review (FAU_SAR.1) Restricted audit review (FAU_SAR.2) Select able audit review (FAU_SAR.3) Prtected audit trail strage (FAU_STG.1) TSF-initiated terminatin (FTA_SSL.3) Cryptgraphic Operatin (FCS_COP.1) Cryptgraphic Key Generatin (FCS_CKM.1) Cryptgraphic Key Destructin (FCS_CKM.4) Basic internal TSF data transfer prtectin (FPT_ITT.1) Reliable time stamps (FPT_STM.1) FAU_GEN.1.1 FAU_GEN.2.1 FAU_SAR.1.1 FAU_SAR.1.2 FAU_SAR.2.1 FAU_SAR.3.1 FAU_STG.1.1 FAU_STG.1.2 FTA_SSL.3.1 FCS_COP.1.1 FCS_CKM.1.1 FCS_CKM.4.1 FPT_ITT.1.1 FPT_STM.1.1

30 7.2 TOE SECURITY FUNCTIONAL REQUIREMENTS FIA Identificatin and authenticatin FIA_ATD.1 User attribute definitin Hierarchical t: N ther cmpnents. Dependencies: N dependencies. FIA_ATD.1.1 The TSF shall maintain the fllwing list f security attributes belnging t individual users: [accunt name, grup rle, user rle, grup rights, user rights and user passwrd]. FIA_AFL.1 Authenticatin failure handling Hierarchical t: N ther cmpnents. Dependencies: FIA_UAU.1 Timing f identificatin FIA_AFL.1.1 FIA_AFL.1.2 The TSF shall detect when [3] unsuccessful authenticatin attempts ccur related t [user lg in authenticatin t any applicatin within the system]. When the defined number f unsuccessful authenticatin attempts has been [met], the TSF shall [disable the user until unlcked by an administratr]. FIA_UID.2 User identificatin befre any actin Hierarchical t: FIA_UID.1 Timing f identificatin Dependencies: N dependencies. FIA_UID.2.1 The TSF shall require each user t be successfully identified befre allwing any ther TSF-mediated actins n behalf f that user. FIA_UAU.2 User authenticatin befre any actin Hierarchical t: FIA_UAU.1 Timing f authenticatin Dependencies: FIA_UID.1 Timing f identificatin FIA_UAU.2.1 The TSF shall require each user t be successfully authenticated befre allwing any ther TSF-mediated actins n behalf f that user.

31 7.2.2 FAU Security audit data generatin FAU_GEN.1 Audit data generatin Hierarchical t: N ther cmpnents. Dependencies: FPT_STM.1 Reliable time stamps FAU_GEN.1.1 The TSF shall be able t generate an audit recrd f the fllwing auditable events: a) Start-up and shutdwn f the audit functins; b) All auditable events fr the [basic] level f audit; and c) [Each user lgin and lgut actidn and any user actin (add, update, delete, search and view) taken against any TOE data]. Applicatin Ntes: The term TOE data refers t data that is generated r used within the target f evaluatin. FAU_GEN.1.2 The TSF shall recrd within each audit recrd at least the fllwing infrmatin: a) Date and time f the event, type f event, subject identity (if applicable), and the utcme (success r failure) f the event; and b) Fr each audit event type, based n the auditable event definitins f the functinal cmpnents included in the ST, [Nne]. FAU_GEN.2 User identity assciatin Hierarchical t: N ther cmpnents. Dependencies: FAU_GEN.1 Audit data generatin FIA_UID.1 Timing f identificatin FAU_GEN.2.1 Fr audit events resulting frm actins f identified users, the TSF shall be able t assciate each auditable event with the identity f the user that caused the event. FAU_SAR.1 Audit review Hierarchical t: N ther cmpnents. Dependencies: FAU_GEN.1 Audit data generatin FAU_SAR.1.1 The TSF shall prvide [an administratr wh is authrized t read audit recrds] with the capability t read [all audit infrmatin (lgin, lgut, view, search, add, update, delete and its timestamp)] frm the audit recrds. FAU_SAR.1.2 The TSF shall prvide the audit recrds in a manner suitable fr the user t interpret the infrmatin.

32 FAU_SAR.2 Restricted audit review Hierarchical t: N ther cmpnents. Dependencies: FAU_SAR.1 Audit review FAU_SAR.2.1 The TSF shall prhibit all users read access t the audit recrds, except thse users that have been granted explicit read-access. FAU_SAR.3 Select able audit review Hierarchical t: N ther cmpnents. Dependencies: FAU_SAR.1 Audit review FAU_SAR.3.1 The TSF shall prvide the ability t apply [searches] f audit data based n [accunt name and / r date]. FAU_STG.1 Prtected audit trail strage Hierarchical t: N ther cmpnents. Dependencies: FAU_GEN.1 Audit data generatin FAU_STG.1.1 The TSF shall prtect the stred audit recrds in the audit trail frm unauthrised deletin. FAU_STG.1.2 The TSF shall be able t [prevent] unauthrised mdificatins t the stred audit recrds in the audit trail.

33 7.2.3 FTA TOE Access FTA_SSL.3 TSF-initiated terminatin Hierarchical t: N ther cmpnents. Dependencies: N dependencies. FTA_SSL.3.1 The TSF shall terminate an interactive sessin after a [15 minutes by default r ther specified time interval f user inactivity set by an authrized administratr].

34 7.2.4 FCS Cryptgraphic Supprt FCS_CKM.1 Cryptgraphic Key Generatin Hierarchical t: N ther cmpnents. Dependencies: [FCS_CKM.2 Cryptgraphic key distributin, r FCS_COP.1 Cryptgraphic peratin] FCS_CKM.4 Cryptgraphic key destructin] FCS_CKM.1: The TSF shall generate cryptgraphic keys in accrdance with a specified cryptgraphic key generatin algrithm [AES Pseudrandm Number Generatr] and specified cryptgraphic key sizes [128, 192 and 256 bits] that meet the fllwing: [FIPS 197 (AES)]. FCS_CKM.4 Cryptgraphic Key Destructin Hierarchical t: N ther cmpnents. Dependencies: [FDP_ITC.1 Imprt f user data withut security attributes, r FDP_ITC.2 Imprt f user data with security attributes, r FCS_CKM.1 Cryptgraphic key generatin] FCS_CKM.4: The TSF shall destry cryptgraphic keys in accrdance with a specified cryptgraphic key destructin methd [AES cryptgraphic key destructin] that meets the fllwing: [FIPS 197 (AES)]. FCS_COP.1(1) Cryptgraphic Operatin (AES) Hierarchical t: N ther cmpnents. Dependencies: [FDP_ITC.1 Imprt f user data withut security attributes, r FDP_ITC.2 Imprt f user data with security attributes, r FCS_CKM.1 Cryptgraphic key generatin] FCS_CKM.4 Cryptgraphic key destructin FCS_COP.1.1(1) The TSF shall perfrm [encryptin n data cmmunicated between the NexCde Gateway Server and the mbile client r the desktp client] in accrdance with a specified cryptgraphic algrithm [AES, Advanced Encryptin Standard] and cryptgraphic key sizes [128, 192 and 256 bits] that meet the fllwing: [FIPS 197 (AES)]. FCS_COP.1(2) Cryptgraphic Operatin (Verisign) Hierarchical t: N ther cmpnents. Dependencies: [FDP_ITC.1 Imprt f user data withut security attributes, r FDP_ITC.2 Imprt f user data with security attributes, r FCS_CKM.1 Cryptgraphic key generatin] FCS_CKM.4 Cryptgraphic key destructin FCS_COP.1.1(2) The TSF shall perfrm [signing and verificatin n the NexCde Mbile Applicatin] in accrdance with a specified cryptgraphic algrithm [SHA1-RSA] and cryptgraphic key sizes [1024 bits] that meet the fllwing: [FIPS PUB 186].

35 7.2.5 FPT Prtectin f the TSF FPT_ITT.1 Basic internal TSF data transfer prtectin Hierarchical t: N ther cmpnents. Dependencies: N dependencies. FPT_ITT.1.1 The TSF shall prtect TSF data frm [disclsure, mdificatin] when it is transmitted between separate parts f the TOE. FPT_STM.1 Reliable time stamps Hierarchical t: N ther cmpnents. Dependencies: N dependencies. FPT_STM.1.1 The TSF shall be able t prvide reliable time stamps. Applicatin Nte: This SFR ensures that the TOE btains accurate time frm the underlying perating system in the TOE envirnment.

36 7.3 TOE SECURITY ASSURANCE REQUIREMENTS This ST claims cmpliance t the assurance requirements frm the CC EAL2 assurance package. This EAL was chsen based n the security prblem definitin and the security bjective fr the TOE. The chsen assurance level is cnsistent with the claimed threat envirnment. Table 6: Assurance Requirements in EAL2 Assurance Class ADV: Develpment AGD: Guidance dcuments ALC: Life-cycle supprt ASE: Security Target evaluatin ATE: Tests AVA: Vulnerability assessment Assurance cmpnents ADV_ARC.1 Security architecture descriptin ADV_FSP.2 Security-enfrcing functinal specificatin ADV_TDS.1 Basic design AGD_OPE.1 Operatinal user guidance AGD_PRE.1 Preparative prcedures ALC_CMC.2 Use f a CM system ALC_CMS.2 Parts f the TOE CM cverage ALC_DEL.1 Delivery prcedures ASE_CCL.1 Cnfrmance claims ASE_ECD.1 Extended cmpnents definitin ASE_INT.1 ST intrductin ASE_OBJ.2 Security bjectives ASE_REQ.2 Derived security requirements ASE_SPD.1 Security prblem definitin ASE_TSS.1 TOE summary specificatin ATE_COV.1 Evidence f cverage ATE_FUN.1 Functinal testing ATE_IND.2 Independent testing - sample AVA_VAN.2 Vulnerability analysis

37 8 TOE SUMMARY SPECIFICATION 8.1 OVERVIEW This chapter prvides the TOE summary specificatin, a high-level definitin f the security functins f the TOE and a summary f hw thse Security Functins meet the SFR s. 8.2 SECURITY FUNCTIONS Table 7: Mappings f TOE Security Functins and SFRs ITSF.SIGN_MOB ITSF.SEC_DATA ITSF.ENCRY_DAT ITSF.TIMEOUT ITSF.RETRY_FAIL TSF.AT&L ITSF.I&AUT FIA_ATD.1 FIA_AFL.1 FIA_UID.2 FIA_UAU.2 FAU_GEN.1 FAU_GEN.2 FPT_STM.1 FAU_SAR.1 FAU_SAR.2 FAU_SAR.3 FAU_STG.1 FTA_SSL.3 FCS_CKM.1 FCS_CKM.4 FCS_COP.1(1)(AES) FPT_ITT.1 FCS_COP.1(2)(VeriSign)

38 8.2.1 TOE user and grup access cntrl The TOE uses user names and their crrespnding passwrds fr authenticatin, allwing use f the TOE fr authrized users nly. The TOE is designed s that each user, r grup f users, can be assigned security attributes, such as specific access rights and privileges, in the peratin f the TOE. This cvers FIA_ATD.1. In rder t use the TOE functins fr which he r she is authrized, based n his r her security attributes, a user must be lgged in int the TOE with the crrect user name (FIA_UID.2) and crrespnding passwrd (FIA_UAU.2) Three times authenticatin failure T prevent brute-frce guessing f passwrds, the TOE blcks access by disabling an existing user accunt after a number f unsuccessful authenticatin attempts. This happens when a user knws the crrect user name, but fails t prvide the crrect passwrd within three tries. This cvers FIA_AFL Encrypted cmmunicatin channel between TOE Gateway Server and enfrcement tls The TOE implements AES encryptin n the data being transferred between the TOE Gateway Server and the NexCde Mbile Applicatin r the NexCde Desktp Applicatin. This is dne t prevent unintentinal disclsure, and t defeat attempts at interceptin f and unauthrized access t cnfidential infrmatin flwing between the abve cmpnents f the TOE. This cvers FCS_COP.1(1)(AES). The TOE includes a randm number generatr and a key generatin functin fr generating the 128-, 192- r 256-bit AES key, used in the encryptin algrithm. This cvers FCS_CKM.1. The TOE administratr als has access t a functin f the TOE fr erasure f thse keys using a prprietary methd. This cvers FCS_CKM Trusted TOE mbile applicatin The TOE implements signing and verificatin f the NexCde Mbile Applicatin installed n the mbile client. A signing certificate used n an applicatin serves t prtect the integrity f that applicatin by applying a digital signature that is independently verified by VeriSign (FCS_COP.1(2)(VeriSign). A digital signature that des nt match warns users that the applicatin has been tampered with r mdified, and helps prtect them frm hackers r malicius cde.

39 8.2.5 Audit trail and lgging The TOE is designed t recgnize specific events within its peratin and lg them. These events include user lg-ins and lg-uts, a user accessing the NexCde Cntrl Centre Web applicatin, the NexCde Mbile Applicatin, r the NexCde Desktp Applicatin, as well as changes made t the TOE system. This cvers FAU_GEN.1. The infrmatin fr events lgged by the TOE include the user name (FAU_GEN.2) f the accunt assciated with the event, the time and date (FPT_STM.1) f its ccurrence, and the nature f the event (e.g., lg-in, changes t settings, etc.). Fr auditing purpses, lgs generated by the TOE may be viewed in human-readable frmat using a reprting functin f the TOE via the Web client (FAU_SAR.1). This ability is allwed nly t TOE users wh have been authrized t read audit lgs n the TOE system (FAU_SAR.2). Such users (i.e., auditrs) may chse t view nly a specific sectin f a lg r nly a specific categry f infrmatin, srting and filtering data as necessary (FAU_SAR.3). The lg infrmatin used fr reprting and audit trails is stred within a database in the TOE, as briefly described in Sectin The ability t directly access, mdify, and/r delete this data within the database is allwed nly t TOE users authrized t exercise said abilities, as per Sectin This cvers FAU_STG Secure FTP n transferring TOE inventry files The TOE implements usage f Secure FTP (SFTP) t transprt generated inventry files (NexCde 2D barcde images) frm the TOE Inventry Server t the TOE Lad Server. This defeats attempts at unauthrized access and preserves the integrity f the inventry files as they are mved frm ne TOE server t anther. This cvers FPT_ITT Lgin sessin idle time-ut The TOE implements a cnfigurable sessin time-ut upn the Web applicatin f the NexCde Cntrl Centre System. By default, 15 minutes withut user input causes the TOE t lg ut the current user, requiring him r her t lg in again if use f the TOE is desired. This helps prevent an unauthrized user frm using the TOE when the user wh is currently lgged in leaves the TOE interface unattended. This cvers FTA_SSL.3.

40 9 RATIONALE 9.1 CONFORMANCE CLAIMS RATIONALE The Cnfrmance Claim f this ST des nt claim cnfrmance t any Prtectin Prfile. Hence, there are n elements t be cvered in the cnfrmance claim ratinale. 9.2 SECURITY OBJECTIVES RATIONALE Security Objectives fr the TOE Table 8: TOE Security Objectives map t Threats and Organizatinal Plicies Threat T.ILLEGAL_ACCESS Hw threat is met T.ILLEGAL_ACCESS -> O.AUDIT_LOG, O.TIMEOUT The threat f an authrized TOE user with administratr privileges destrying r disclsing any data r perfrm peratins that are nt authrized fr each user rle is dealt with by implementing: * O.AUDIT_LOG The TOE must prvide the means f generating recrds f security relevant events in sufficient detail t help an administratr f the TOE t track user activities within the system. When lgs are reliable, and unauthrized use is detected crrectly and in time, and thse users wh perfrmed unauthrized actins are given disciplinary actin, it serves as a deterrent against unauthrized use. The pssibility f being caught serves t diminish the urge t use the system in an unauthrized manner, and therefre reduces the chance f the abve threat happening. * O.TIMEOUT The TOE must ensure that the user s access t the system is timed ut after a perid f idle time. This has the effect f diminishing the chance f the threat happening. T.BYPASS T.BYPASS -> O.I&A, O.LOGIN_FAIL The threat that an unauthrized TOE user may successfully vilate the authenticity f rules by succeeding in bypassing the authenticatin is dealt with by applying: * O.I&A The TOE must prvide lgin and user identificatin and authenticatin by allwing nly authrized username and authenticated passwrd t gain access t the system having access rights cntrlled by either an

41 individual user r a user grup. This has the effect f greatly diminishing the chance f the abve threat happening. The threat cannt be remved entirely because f the pssibility, hwever small, that a username and its passwrd can be guessed r therwise illegally acquired. * O.LOGIN_FAIL The TOE must prevent r blck users frm lgin int the system after three attempts with incrrect passwrds. This has the effect f greatly diminishing the chance f the threat happening. T.DATA_INTERCEPT T.DATA_INTERCEPT -> O.ENCRYPT_DATA, O.SECURE_DATA Experienced hackers may maliciusly listen and tamper with: The data alng the cmmunicatin channel between the TOE Gateway Server and the mbile client r the desktp client; The transferring f TOE inventry files (NexCde 2D barcde images) frm the TOE Inventry Server t the TOE Lad Server; The HTTP request fr any TOE Web client access t NexCde Cntrl Centre System. These activities can be dealt with by executing the fllwing: * O.ENCRYPT_DATA The TOE must ensure that the TOE data alng cmmunicatin channel between the TOE Gateway Server and the mbile client r the desktp client is encrypted using AES encryptin. This has the effect f greatly diminishing the chance f the abve threat happening. The threat cannt be remved entirely because f the pssibility, hwever small, that malicius individuals with access t vast technical resurces may be able t decrypt the cmmunicatins. * O.SECURE_DATA The TOE must ensure that the TOE inventry files (NexCde 2D barcde images) transferred frm the TOE Inventry Server t the TOE Lad Server is via the Secure FTP (SFTP). This has the effect f greatly diminishing the chance f the abve threat happening. T.UNTRUSTED_APP T.UNTRUSTED_APP -> O.SIGN_MOB TOE user that accesses the TOE mbile applicatin may be using an unsigned prduct. This can be mitigated with the fllwing bjective: * O.SIGN_MOB The TOE must ensure that the TOE mbile applicatin is signed and verified. P.ADMIN_IDENTIFY P.ADMIN_IDENTIFY -> O.I&A

42 Authrized System Administratr and the Auditr wh use the TOE are subject t the TOE identificatin t keep a recrd f TOE access lgs. * O.I&A The TOE must prvide lgin and user identificatin and authenticatin by allwing nly authrized username and authenticated passwrd t gain access t the system having access rights cntrlled by either an individual user r a user grup. P.AUDIT_LOG P.AUDIT_LOG -> O.AUDIT_LOG The ability t access the TOE audit lgs is t be restricted t the Auditr nly in rder t track unauthrized peratins n the TOE assets t be prtected. * O.AUDIT_LOG The TOE must prvide the means f generating recrds f security relevant events in sufficient detail t help an administratr f the TOE t track user activities within the system. This has the effect f supprting the plicy f segregatin f duties between auditrs and system administratrs. It must be enfrced because f tw majr benefits: 1. deliberate misuse becmes mre difficult because it requires cnspiracy between tw r mre persns, and 2. it becmes much mre likely that accidental errrs will be psitively identified. System administratrs wh are restricted t perating their assigned hardware and sftware are discuraged frm unauthrized use by the knwledge that sme ther authrized persn will be reprting their actins. Auditrs wh are restricted t bserving and reprting are prevented frm expliting their knwledge f the system t perfrm unauthrized use Security Objectives fr the Operatinal Envirnment Table 9: Mapping f Security Objectives fr the Operatinal Envirnment t Assumptins Assumptin A.PHY_ACC Hw assumptin traced back t bjective fr peratinal envirnment A.PHY_ACC > OE.PHYSEC This bjective fr the perating envirnment ensures that the assumptin is upheld that the TOE is physically secured and lcated within a secure cntrlled access facility, which will prevent unauthrized physical access r mdificatin. The TOE security bjective presented t address this assumptin is: OE.PHYSEC

43 A.TIME A.TIME --> OE.TIME The bjective fr the perating envirnment ensures that that the assumptin is upheld that the TOE is prvided a reliable time surce fr the TOE t prvide an accurate timestamp fr all audit recrds. The TOE security bjective presented t address the assumptin is: OE.TIME

44 9.3 SECURITY REQUIREMENTS RATIONALE Tracing f SFR t Security Objectives The functinal and assurance requirements presented in this ST are mutually supprtive and their cmbinatins meet the stated security bjectives. The security requirements were derived accrding t the general mdel presented in Part 1 f the Cmmn Criteria. Table 10 illustrates the mapping between the security requirements and the security bjectives. Table 11 demnstrates the relatinship between the assumptins, threats, plicies and TOE security bjectives. Tgether these tables demnstrate the cmpleteness and sufficiency f the requirements. Table 10: Mappings f SFR and TOE Security Objectives O.SIGN_MOB O.SECURE_DATA O.ENCRYPT_DATA O.TIMEOUT O.LOGIN_FAIL O.AUDIT_LOG O.I&A FIA_ATD.1 FIA_AFL.1 FIA_UID.2 FIA_UAU.2 FAU_GEN.1 FAU_GEN.2 FPT_STM.1 FAU_SAR.1 FAU_SAR.2 FAU_SAR.3 FAU_STG.1 FTA_SSL.3 FCS_CKM.1 FCS_CKM.4 FCS_COP.1(1)(AES) FPT_ITT.1 FCS_COP.1(2)(VeriSign)

45 FIA_ATD.1 User attribute definitin: This cmpnent specifies the security attributes that shuld be maintained at the level f the user. This means that the security attributes listed are assigned t and can be changed at the level f the user. In ther wrds, changing a security attribute in this list assciated with a user shuld have n impact n the security attributes f any ther user. This cmpnent traces back t and aids in meeting the fllwing bjective: O.I&A. FIA_AFL.1 Authenticatin failure handling: This cmpnent requires that the TSF be able t terminate the sessin establishment prcess after three cnsecutive unsuccessful user authenticatin attempts. It als requires that, after terminatin f the sessin establishment prcess, the TSF be able t disable the user accunt r the pint f entry (e.g. wrkstatin) frm which the attempts were made until an administratr-defined cnditin ccurs. This cmpnent traces back t and aids in meeting the fllwing bjective: O.LOGIN_FAIL. FIA_UID.2 User identificatin befre any actin: This cmpnent pses requirements fr the user t be identified befre any TSF-mediated actins can be perfrmed in behalf f that user. This cmpnent traces back t and aids in meeting the fllwing bjective: O.I&A & O.LOGIN_FAIL. FIA_UAU.2 User authenticatin befre any actin: This cmpnent requires that a user is authenticated befre any ther TSF- mediated actin can take place n behalf f that user. This cmpnent traces back t and aids in meeting the fllwing bjective: O.I&A. FAU_GEN.1 Audit data generatin: This cmpnent defines requirements t identify the auditable events fr which audit recrds shuld be generated, and the infrmatin t be prvided in the audit recrds. This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG. FAU_GEN.2 User identity assciatin: This cmpnent addresses the requirement f accuntability f auditable events at the level f individual user identity. This cmpnent shuld be used in additin t FAU_GEN.1 Audit data generatin. This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG. FPT_STM.1 Reliable time stamps: Sme pssible uses f this cmpnent include prviding reliable time stamps fr the purpses f audit as well as fr security attribute expiratin. This cmpnent traces back t and aids in meeting the fllwing bjective: OE.TIME. FAU_SAR.1 Audit review: This cmpnent will prvide authrized users the capability t btain and interpret the infrmatin. In case f human users this infrmatin needs t be in a human understandable presentatin. In case f external IT entities the infrmatin needs t be unambiguusly represented in an electrnic fashin. This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG. FAU_SAR.2 Restricted audit review: This cmpnent specifies that any users nt identified in FAU_SAR.1 Audit review will nt be able t read the audit recrds. This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG. FAU_SAR.3 Selectable audit review: This cmpnent is used t specify that it shuld be pssible t perfrm selectin f the audit data t be reviewed. If based n multiple criteria, thse criteria shuld be related and the tls shuld prvide the ability t manipulate audit data (e.g. srt, filter). This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG. FAU_STG.1 Prtected audit trail strage: This cmpnent specifies that requirements are placed n the audit trail. It will be prtected frm unauthrized deletin and/r mdificatin. This cmpnent traces back t and aids in meeting the fllwing bjective: O.AUDIT_LOG.

46 FTA_SSL.3 TSF-initiated terminatin: This cmpnent prvides requirements fr the TSF t terminate the sessin after a specified perid f user inactivity. This cmpnent traces back t and aids in meeting the fllwing bjective: O.TIMEOUT. FCS_CKM.1 Cryptgraphic key generatin: This cmpnent requires cryptgraphic keys t be generated in accrdance with a specified algrithm and key sizes which can be based n an assigned standard. This cmpnent traces back t and aids in meeting the fllwing bjective: O.ENCRYPT_DATA. FCS_CKM.4 Cryptgraphic key destructin: This cmpnent requires cryptgraphic keys t be destryed in accrdance with a specified destructin methd which can be based n an assigned standard. This cmpnent traces back t and aids in meeting the fllwing bjective: O.ENCRYPT_DATA. FCS_COP.1(1) Cryptgraphic peratin (AES): This cmpnent requires the cryptgraphic algrithm and key size used t perfrm specified cryptgraphic peratin(s) which can be based n an assigned standard. This cmpnent traces back t and aids in meeting the fllwing bjective: O.ENCRYPT_DATA. FPT_ITT.1 Basic internal TSF data transfer prtectin: This cmpnent requires that TSF data be prtected when transmitted between separate parts f the TOE. This cmpnent traces back t and aids in meeting the fllwing bjective: O.SECURE_DATA. FCS_COP.1(2) Cryptgraphic peratin (VeriSign): This cmpnent requires the cryptgraphic algrithm and key size used t perfrm specified cryptgraphic peratin(s) which can be based n an assigned standard. This cmpnent traces back t and aids in meeting the fllwing bjective: O.SIGN_MOB.

47 9.3.2 Tracing f Security Objectives t Security Prblem Definitin The relatin between security bjectives and the security prblem definitin (threats, rganizatinal security plicies and assumptins) is shwn in Table 11. Table 11: Mappings f TOE Security Objectives and Security Prblem Definitin A.TIME A.PHY_ACC P.AUDIT_LOG P.ADMIN_IDENTIFY T.UNTRUSTED_APP T.DATA_INTERCEPT T.BYPASS T.ILLEGAL_ACCESS O.I&A O.AUDIT_LOG O.LOGIN_FAIL O.TIMEOUT O.ENCRYPT_DATA O.SECURE_DATA O.SIGN_MOB OE.PHYSEC OE.TIME

48 9.3.3 SFR Dependency Ratinale Table 12: SFR dependency ratinale SFR Dependency Justificatin FIA_ATD.1 Nne N dependencies t satisfy. FIA_AFL.1 FIA_UAU.1 Satisfied with FIA_UAU.2. FIA_UID.2 Nne N dependencies t satisfy. FIA_UAU.2 FIA_UID.1 Satisfied with FIA_UID.2. FAU_GEN.1 FPT_STM.1 Satisfied with FPT_STM.1. FAU_GEN.2 FAU_GEN.1, FIA_UID.1 Satisfied with FAU_GEN.1 and FIA_UID.2. FPT_STM.1 Nne N dependencies t satisfy. FAU_SAR.1 FAU_GEN.1 Satisfied with FAU_GEN.1. FAU_SAR.2 FAU_SAR.1 Satisfied with FAU_SAR.1. FAU_SAR.3 FAU_SAR.1 Satisfied with FAU_SAR.1. FAU_STG.1 FAU_GEN.1 Satisfied with FAU_GEN.1. FTA_SSL.3 Nne N dependencies t satisfy. FCS_COP.1(1)(AES) FCS_CKM.1, FCS_CKM.4 Satisfied with FCS_CKM.1 and FCS_CKM.4. FPT_ITT.1 Nne N dependencies t satisfy. FCS_COP.1(2) (VeriSign) FCS_CKM.1, FCS_CKM.4 Nne satisfied, because the TSF nly verifies the integrity f the Mbile Applicatin with Verisign. The TSF has n need t generate (nr destry) cryptgraphic keys fr this prcess. Therefre, FCS_CKM.1 and FCS_CKM.4 are nt applicable SAR Justificatin The security assurance requirements that are selected fr the TOE are frm the CC EAL2 package. This EAL was chsen based n the security prblem definitin and the security bjectives fr the TOE. The chsen assurance level is cnsistent with the claimed threat envirnment.