Venafi Trust Protection Platform SWAPP Assurance Activity Report

Transcription

1 Venafi Trust Protection Platform SWAPP Assurance Activity Report Pascal Patin ISSUED BY Acumen Security, LLC 1

2 Revision History: Version Date Changes Version 1.0 7/15/2017 Initial Release Version 1.1 9/8/2017 Updated for ST version 1.2 Version 1.2 9/15/2017 Updated for ST version 1.3 and FCS_RBG_EXT.1 2

3 Table of Contents 1 TOE Overview Reporting on Assurance Activities Reporting on TSS Assurance Activities Reporting on Guidance Assurance Activities Test Equivalency Justification Detailed Test Cases Test Cases (Cryptographic Support) FCS_COP.1.1(1) TSS FCS_COP.1.1(1) Test FCS_RBG_EXT.1.1 TSS FCS_RBG_EXT.1.1 Test FCS_STO_EXT.1.1 TSS FCS_STO_EXT.1.1 Test FCS_TLSC_EXT.1.1 TSS FCS_TLSC_EXT.1.1 Guidance FCS_TLSC_EXT.1.1 Test FCS_TLSC_EXT.1.1 Test FCS_TLSC_EXT.1.1 Test FCS_TLSC_EXT.1.1 Test FCS_TLSC_EXT.1.1 Test FCS_TLSC_EXT.1.2 TSS (Selection Based Requirement) FCS_TLSC_EXT.1.2 Guidance (Selection Based Requirement) FCS_TLSC_EXT.1.2 Test 1 (Selection Based Requirement) FCS_TLSC_EXT.1.2 Test 2 (Selection Based Requirement) FCS_TLSC_EXT.1.2 Test 3 (Selection Based Requirement) FCS_TLSC_EXT.1.2 Test 4 (Selection Based Requirement) FCS_TLSC_EXT.1.2 Test 5 (Selection Based Requirement) FCS_TLSC_EXT.1.3 Test 1 (Selection Based Requirement) FCS_TLSC_EXT.4.1 TSS FCS_TLSC_EXT.4.1 Guidance FCS_TLSC_EXT.4.1 Test FCS_SSHC_EXT.1.1 TSS FCS_SSHC_EXT.1.1 Test

4 FCS_SSHC_EXT.1.1 Test FCS_SSHC_EXT.1.2 TSS FCS_SSHC_EXT.1.2 Test FCS_SSHC_EXT.1.3 TSS FCS_SSHC_EXT.1.3 Guidance FCS_SSHC_EXT.1.3 Test FCS_SSHC_EXT.1.3 Test FCS_SSHC_EXT.1.4 TSS FCS_SSHC_EXT.1.4 Guidance FCS_SSHC_EXT.1.4 Test FCS_SSHC_EXT.1.4 Test FCS_SSHC_EXT.1.5 TSS FCS_SSHC_EXT.1.5 Guidance FCS_SSHC_EXT.1.5 Test FCS_SSHC_EXT.1.5 Test FCS_SSHC_EXT.1.5 Test FCS_SSHC_EXT.1.6 TSS FCS_SSHC_EXT.1.6 Guidance FCS_SSHC_EXT.1.6 Test FCS_SSHC_EXT.1.7 Test FCS_SSHC_EXT.1.8 Test FCS_SSHC_EXT.1.8 Test Test Cases (User Data Protection) FDP_DEC_EXT.1.1 Test FDP_DEC_EXT.1.2 Test FDP_NET_EXT.1.1 Test FDP_NET_EXT.1.1 Test FDP_DAR_EXT.1.1 Test Test Cases (Identification and Authentication) FIA_X509_EXT.1.1 TSS (Selection Based Requirement) FIA_X509_EXT.1.1 Test 1 (Selection Based Requirement) FIA_X509_EXT.1.1 Test 2 (Selection Based Requirement) FIA_X509_EXT.1.1 Test 3 (Selection Based Requirement) FIA_X509_EXT.1.1 Test 4 (Selection Based Requirement)

5 4.3.6 FIA_X509_EXT.1.1 Test 5 (Selection Based Requirement) FIA_X509_EXT.1.1 Test 6 (Selection Based Requirement) FIA_X509_EXT.1.1 Test 7 (Selection Based Requirement) FIA_X509_EXT.1.2 Test 1 (Selection Based Requirement) FIA_X509_EXT.1.2 Test 2 (Selection Based Requirement) FIA_X509_EXT.1.2 Test 3 (Selection Based Requirement) Test Cases (Security Management) FMT_MEC_EXT.1.1 TSS FMT_MEC_EXT.1.1 Test FMT_CFG_EXT.1.1 TSS FMT_CFG_EXT.1.1 Test FMT_CFG_EXT.1.1 Test FMT_CFG_EXT.1.1 Test FMT_CFG_EXT.1.2 Test FMT_SMF.1.1 Guidance Test Cases (Protection of the TSF) FPT_API_EXT.1.1 TSS FPT_AEX_EXT.1.1 TSS FPT_AEX_EXT.1.1 Test FPT_AEX_EXT.1.2 Test FPT_AEX_EXT.1.4 Test FPT_AEX_EXT.1.5 TSS FPT_AEX_EXT.1.5 Test FPT_TUD_EXT.1.2 Test FPT_TUD_EXT.1.6 TSS Security Assurance Requirements AGD_OPE.1 Guidance Evaluator Findings Verdict AGD_PRE.1 Guidance Evaluator Findings Verdict ALC_CMC.1 ST Evaluator Findings

6 5.3.2 Verdict ALC_CMS.1 Guidance Evaluator Findings Verdict ALC_TSU_EXT.1 TSS Evaluator Findings Verdict ALC_TSU_EXT.1 TSS Evaluator Findings Verdict ATE_IND AVA_VAN Conclusion

7 Assurance Activity Report (AAR) for a Target of Evaluation Venafi Trust Protection Platform, Version 17.1 Venafi Trust Protection Platform Security Target, Version 1.3, September 2017 Protection Profile for Application Software, Version 1.2 with Extended Package for Secure Shell, Version 1.0 Evaluated by: Office Park Dr. Montgomery Village, MD Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 7

8 The Developer of the TOE: Venafi 175 E 400 S, Suite 300 Salt Lake City, UT The Author of the Security Target: Venafi 175 E 400 S, Suite 300 Salt Lake City, UT The TOE Evaluation was Sponsored by: Venafi 175 E 400 S, Suite 300 Salt Lake City, UT Evaluation Personnel: Pascal Patin Common Criteria Version Common Criteria Version 3.1 Revision 4 Common Evaluation Methodology Version CEM Version 3.1 Revision 4 8

9 1 TOE Overview Venafi Trust Protection Platform secures and protects keys and certificates in the datacenter, on desktops, on mobile and IoT devices, and in the cloud. This protection improves security posture with increased visibility, threat intelligence, policy enforcement, and faster incident response for certificate-related outages and compromises leveraging misused keys and certificates. The platform supports all Venafi products and provides native integration with thousands of applications and common APIs for the extensive security ecosystem. Shared and extensible services enable enterprises to gain complete visibility into their key and certificate inventory, identify certificate reputation, and establish a baseline. The entire issuance and renewal process can be automated with policy enforcement and workflows, enabling new encryption dependent applications to be scaled quickly. Trust Protection Platform keeps organizations secure, helping them comply with standards and remediate key and certificate misuse. 2 Reporting on Assurance Activities 2.1 Reporting on TSS Assurance Activities Information required to be in the TSS is largely self-documenting, meaning that the evaluator in most cases is required to ensure that it is present in the TSS, but little beyond that is required in most PPs. For most TSS assurance activities in the AAR, a simple indication that the information is present and a pointer to that information in the ST is sufficient; it is not required to copy and paste the assurance activity or the information in the TSS into the AAR. It is expected that the evaluator ensure that the information in the TSS as a whole is consistent, and that spurious information is not included. For some information in the TSS, the evaluator may be required to make a judgment on that information relative to the security requirement being levied. For these requirements, the evaluator shall write up their rationale in the TSS section of the AAR. 2.2 Reporting on Guidance Assurance Activities The AAR lists specifically all documents used for each platform, model, and hardware component (chassis, blade, processor, etc.) to satisfy the requirements for operational guidance assurance activities. Each applicable administrative manual must be identified in a manner such that an end user can locate the specific manual used for the evaluation. It is acceptable to list general manuals that have evaluation-specific addenda, as long as both are identified. For each assurance activity referencing information in the operational guidance, the AAR must list for each model that has a distinct manual or manuals the specific 9

10 manual that contains the information, along with a pointer to the section or sections that satisfy the requirement in the assurance activity. 3 Test Equivalency Justification Not applicable. The TOE is a single product being tested on a single platform. 4 Detailed Test Cases 4.1 Test Cases (Cryptographic Support) FCS_COP.1.1(1) TSS The evaluator shall verify that the TSS describes the counter mechanism including rationale that the counter values provided are unique Evaluator Findings The evaluator found that the product relies on the underlying platform for cryptographic functionality, as the Application Note for this SFR in the SSH EP says it may. Based on this the assurance activity is considered satisfied Verdict FCS_COP.1.1(1) Test 1 The evaluator shall perform all of the following tests for each algorithm implemented by the TSF and used to satisfy the requirements of this PP: AES Known Answer Tests, AES Multi-Block Message Test, and AES Monte Carlo Tests Evaluator Findings The TOE relies on the underlying Windows Server 2012 platform for all SSH cryptographic operations CAVP Algorithm Certificate #s #2848, #2832, #2853, # Verdict FCS_RBG_EXT.1.1 TSS If invoke platform provided DRBG functionality is selected, the evaluation activities will be performed as stated in the following requirements. The evaluator shall examine the TSS to confirm that it identifies all functions (as described by the SFRs included 10

11 in the ST) that obtain random numbers from the platform RBG. The evaluator shall determine that for each of these functions, the TSS states which platform interface (API) is used to obtain the random numbers. The evaluator shall confirm that each of these interfaces corresponds to the acceptable interfaces listed for each platform below Evaluator Findings The evaluator examined the TSS to confirm that it identifies all functions (as described by the SFRs included in the ST) that obtain random numbers from the platform RBG. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the TOE relies on platform cryptographic functionality in all instances where random numbers would be used for functions described by ST SFRs. Based on this the assurance activity is considered satisfied Verdict FCS_RBG_EXT.1.1 Test Evaluator Findings A debugger was used to decompile the product and demonstrate that the TOE calls the platform s underlying RNG functionality. This showed that the product calls.net s RNGCryptoServiceProvider class. The following article from Microsoft s online documentation states that RNGCryptoServiceProvider uses the implementation provided by the Windows Cryptographic Service Provider (CSP): Page 66 of the Windows Server 2012 R2 ST states that the CSPs are FIPS certified cryptographic modules used by the platform Verdict FCS_STO_EXT.1.1 TSS The evaluator shall check the TSS to ensure that it lists all persistent credentials (secret keys, PKI private keys, or passwords) needed to meet the requirements in the ST. For each of these items, the evaluator shall confirm that the TSS lists for what purpose it is used, and how it is stored Evaluator Findings The evaluator examined the TSS to ensure that it lists all persistent credentials needed to meet the requirements in the ST. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the TOE s symmetric encryption key is the only credential this applies to, and it is protected by the Windows Data Protection API (DPAPI). Based on this the assurance activity is considered satisfied Verdict 11

12 4.1.6 FCS_STO_EXT.1.1 Test Evaluator Findings Verdict FCS_TLSC_EXT.1.1 TSS The evaluator shall check the description of the implementation of this protocol in the TSS to ensure that the cipher suites supported are specified. The evaluator shall check the TSS to ensure that the cipher suites specified include those listed for this component Evaluator Findings The evaluator examined the description of the implementation of TLS in the TSS to ensure that the cipher suites supported are specified. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that seven TLS ciphersuites are supported by the TOE. These ciphersuites were found to be consistent with those listed in section of the ST. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.1.1 Guidance The evaluator shall also check the operational guidance to ensure that it contains instructions on configuring the TOE so that TLS conforms to the description in the TSS Evaluator Findings The evaluator examined the AGD to determine that any configuration that is required to be done to configure the functionality for the required modes and key sizes is present. Section 2 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that the product platform needs to be in FIPS mode in order to appropriately restrict ciphers and keys. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.1.1 Test 1 The evaluator shall establish a TLS connection using each of the cipher suites specified by the requirement. This connection may be established as part of the establishment of a higher level protocol, e.g., as part of an EAP session. It is sufficient to observe the successful negotiation of a cipher suite to satisfy the intent of the test; it is not necessary to examine the characteristics of the encrypted traffic in an attempt to discern the cipher suite being used (for example, that the cryptographic algorithm is 128-bit AES and not 256-bit AES) Evaluator Findings The evaluator used the application s HTTP Connection Test functionality to establish TLS connections from the TOE to a TLS test server. As shown in the test report, all of the ciphersuites claimed in the ST was supported by the TOE. 12

13 Verdict FCS_TLSC_EXT.1.1 Test 2 The evaluator shall attempt to establish the connection using a server with a server certificate that contains the Server Authentication purpose in the extendedkeyusage field and verify that a connection is established. The evaluator will then verify that the client rejects an otherwise valid server certificate that lacks the Server Authentication purpose in the extendedkeyusage field and a connection is not established. Ideally, the two certificates should be identical except for the extendedkeyusage field Evaluator Findings The evaluator used the application s HTTP Connection Test functionality to attempt to establish a TLS connection from the TOE to a TLS test server. The server was configured to present a certificate that lacked the extendedkeyusage field. As shown in the test report, the TOE rejected the server and refused to establish a TLS connection Verdict FCS_TLSC_EXT.1.1 Test 3 The evaluator shall send a server certificate in the TLS connection that does not match the server selected cipher suite (for example, send a ECDSA certificate while using the TLS_RSA_WITH_AES_128_CBC_SHA cipher suite or send a RSA certificate while using one of the ECDSA cipher suites.) The evaluator shall verify that the TOE disconnects after receiving the server s Certificate handshake message Verdict FCS_TLSC_EXT.1.1 Test 4 The evaluator shall configure the server to select the TLS_NULL_WITH_NULL_NULL cipher suite and verify that the client denies the connection Verdict FCS_TLSC_EXT.1.1 Test 5 The evaluator shall perform the following modifications to traffic: Change the TLS version selected by the server in the Server Hello to a non-supported TLS version (for example 1.3 represented by the two bytes 03 04) and verify that the client rejects the connection. Modify at least one byte in the server s nonce in the Server Hello handshake message, and verify that the client rejects the Server Key Exchange handshake message (if using a DHE or ECDHE ciphersuite) or that the server denies the client s Finished handshake message. Modify the server s selected ciphersuite in the Server Hello handshake message to be a ciphersuite not presented in the Client Hello handshake message. The 13

14 evaluator shall verify that the client rejects the connection after receiving the Server Hello. Modify the signature block in the Server s Key Exchange handshake message, and verify that the client rejects the connection after receiving the Server Key Exchange message. Modify a byte in the Server Finished handshake message, and verify that the client sends a fatal alert upon receipt and does not send any application data. Send an garbled message from the Server after the Server has issued the ChangeCipherSpec message and verify that the client denies the connection Verdict FCS_TLSC_EXT.1.2 TSS (Selection Based Requirement) The evaluator shall ensure that the TSS describes the client s method of establishing all reference identifiers from the application configured reference identifier, including which types of reference identifiers are supported (e.g. Common Name, DNS Name, URI Name, Service Name, or other application specific Subject Alternative Names) and whether IP addresses and wildcards are supported. The evaluator shall ensure that this description identifies whether and the manner in which certificate pinning is supported or used by the TOE Evaluator Findings The evaluator examined the TSS to determine if it describes the client s method of establishing all reference identifiers. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the underlying Windows functionality is used for this functionality. Identifiers that are checked are Distinguished Name, Subject Name, Subject Alternative Name and Extended Key Usages. Certificate pinning is not supported. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.1.2 Guidance (Selection Based Requirement) The evaluator shall verify that the AGD guidance includes instructions for setting the reference identifier to be used for the purposes of certificate validation in TLS Evaluator Findings The evaluator verified that the AGD includes instructions for setting the reference identifier. The evaluator found that instructions for this are included in the TLS Connectivity section of the AGD. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.1.2 Test 1 (Selection Based Requirement) The evaluator shall present a server certificate that does not contain an identifier in either the Subject Alternative Name (SAN) or Common Name (CN) that matches the reference identifier. The evaluator shall verify that the connection fails. 14

15 Verdict FCS_TLSC_EXT.1.2 Test 2 (Selection Based Requirement) The evaluator shall present a server certificate that contains a CN that matches the reference identifier, contains the SAN extension, but does not contain an identifier in the SAN that matches the reference identifier. The evaluator shall verify that the connection fails. The evaluator shall repeat this test for each supported SAN type Verdict FCS_TLSC_EXT.1.2 Test 3 (Selection Based Requirement) The evaluator shall present a server certificate that contains a CN that matches the reference identifier and does not contain the SAN extension. The evaluator shall verify that the connection succeeds Verdict FCS_TLSC_EXT.1.2 Test 4 (Selection Based Requirement) The evaluator shall present a server certificate that contains a CN that does not match the reference identifier but does contain an identifier in the SAN that matches. The evaluator shall verify that the connection succeeds Verdict FCS_TLSC_EXT.1.2 Test 5 (Selection Based Requirement) The evaluator shall perform the following wildcard tests with each supported type of reference identifier: The evaluator shall present a server certificate containing a wildcard that is not in the left-most label of the presented identifier (e.g. foo.*.example.com) and verify that the connection fails. The evaluator shall present a server certificate containing a wildcard in the left-most label but not preceding the public suffix (e.g. *.example.com). The evaluator shall configure the reference identifier with a single left-most label (e.g. foo.example.com) and verify that the connection succeeds. The evaluator shall configure the reference identifier without a left-most label as in the certificate (e.g. example.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.example.com) and verify that the connection fails. The evaluator shall present a server certificate containing a wildcard in the left-most label immediately preceding the public suffix (e.g. *.com). The evaluator shall configure the reference identifier with a single leftmost label (e.g. foo.com) and verify that the connection fails. The evaluator shall configure the reference identifier with two left-most labels (e.g. bar.foo.com) and verify that the connection fails. 15

16 Verdict FCS_TLSC_EXT.1.3 Test 1 (Selection Based Requirement) The evaluator shall demonstrate that a peer using a certificate without a valid certification path results in an authenticate failure. Using the administrative guidance, the evaluator shall then load the trusted CA certificate(s) needed to validate the peer's certificate, and demonstrate that the connection succeeds. The evaluator then shall delete one of the CA certificates, and show that the connection fails Verdict FCS_TLSC_EXT.4.1 TSS The evaluator shall verify that TSS describes the supported Elliptic Curves Extension and whether the required behavior is performed by default or may be configured Evaluator Findings The evaluator examined the TSS to determine if the supported Elliptic Curves Extensions are described and whether the required behavior is performed by default. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the TOE supports the secp256r1, secp384r1 and secp521r1 curves are supported. These curves are supported by default. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.4.1 Guidance If the TSS indicates that the supported Elliptic Curves Extension must be configured to meet the requirement, the evaluator shall verify that AGD guidance includes configuration of the supported Elliptic Curves Extension Evaluator Findings The TSS states that no product configuration is required in order to meet this requirement. As indicated in previous assurance activities, restricting the product platform to FIPS mode limits the product s cryptography to that described in the ST. Based on this the assurance activity is considered satisfied Verdict FCS_TLSC_EXT.4.1 Test 1 The evaluator shall configure the server to perform an ECDHE key exchange message in the TLS connection using a non-supported ECDHE curve (for example, P-192) and shall verify that the TOE disconnects after receiving the server's Key Exchange handshake message Verdict 16

17 FCS_SSHC_EXT.1.1 TSS The evaluator will check to ensure that the TSS contains a description of the public key algorithms that are acceptable for use for authentication, that this list conforms to FCS_SSHC_EXT.1.4, and ensure that password-based authentication methods are also allowed Evaluator Findings The evaluator examined the TSS to ensure that it contains a description of the public key algorithms that are used for authentication. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that SSH-RSA and ECDSA-SHA2-NISTp256 are the supported public key algorithms. This is consistent with the algorithms that are listed in FCS_SSHC_EXT.1.4. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.1 Test 1 The evaluator will, for each public key algorithm supported, show that the TOE supports the use of that public key algorithm to authenticate a user connection to an SSH server. Any configuration activities required to support this test shall be performed according to instructions in the guidance documentation FCS_SSHC_EXT.1.1 Test 2 Using the guidance documentation, the evaluator will configure the TOE to perform password-based authentication to an SSH server, and demonstrate that a user can be successfully authenticated by the TOE to an SSH server using a password as an authenticator FCS_SSHC_EXT.1.2 TSS The evaluator will check that the TSS describes how large packets in terms of RFC 4253 are detected and handled Evaluator Findings The evaluator examined the TSS to determine if it describes how large SSH packets are handled. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that if a packet larger than 35,000 bytes is received by the TOE that packet is dropped by the TOE and the connection is closed. This is consistent with the requirements of RFC Based on this the assurance activity is considered satisfied Verdict 17

18 FCS_SSHC_EXT.1.2 Test 1 The evaluator will demonstrate that if the TOE receives a packet larger than that specified in this component, that packet is dropped Verdict FCS_SSHC_EXT.1.3 TSS The evaluator will check the description of the implementation of this protocol in the TSS to ensure that optional characteristics are specified, and the encryption algorithms supported are specified as well. The evaluator will check the TSS to ensure that the encryption algorithms specified are identical to those listed for this component Evaluator Findings The evaluator examined the ST to determine if optional characteristics and supported encryption algorithms are specified. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the following algorithms are supported: AES128-CBC AES256-CBC AES128-CTR AES256-CTR These algorithms were consistent with FCS_SSHC_EXT.1.3. No optional SSH characteristics are supported. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.3 Guidance The evaluator will also check the guidance documentation to ensure that it contains instructions on configuring the TOE so that SSH conforms to the description in the TSS (for instance, the set of algorithms advertised by the TOE may have to be restricted to meet the requirements) Evaluator Findings The evaluator examined the AGD to determine that any configuration that is required to be done to configure the functionality for the required modes and key sizes is present. Section 2 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that the product platform needs to be in FIPS mode in order to appropriately restrict ciphers and keys. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.3 Test 1 The evaluator will establish an SSH connection using each of the encryption algorithms specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test. 18

19 Verdict FCS_SSHC_EXT.1.3 Test 2 The evaluator will configure an SSH server to only allow the 3des-cbc encryption algorithm and no other encryption algorithms. The evaluator will attempt to establish an SSH connection from the TOE to the SSH server and observe that the connection is rejected Verdict FCS_SSHC_EXT.1.4 TSS The evaluator will check the description of the implementation of this protocol in the TSS to ensure that optional characteristics are specified, and the public key algorithms supported are specified as well. The evaluator will check the TSS to ensure that the public key algorithms specified are identical to those listed for this component Evaluator Findings The evaluator examined the ST to determine if optional characteristics and public key algorithms are specified. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that SSH-RSA and ECDSA-SHA2-NISTp256 are the supported public key algorithms. These algorithms are identical to those listed in FCS_SSHC_EXT.1.4 of the ST. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.4 Guidance The evaluator will also check the guidance documentation to ensure that it contains instructions on configuring the TOE so that SSH conforms to the description in the TSS (for instance, the set of algorithms advertised by the TOE may have to be restricted to meet the requirements) Evaluator Findings The evaluator examined the AGD to determine that any configuration that is required to be done to configure the functionality for the required modes and key sizes is present. Section 2 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that the product platform needs to be in FIPS mode in order to appropriately restrict ciphers and keys. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.4 Test 1 The evaluator will establish a SSH connection using each of the public key algorithms specified by the requirement to authenticate an SSH server to the TOE. It is sufficient to 19

20 observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test Verdict FCS_SSHC_EXT.1.4 Test 2 The evaluator will configure an SSH server to only allow the ssh-dsa public key algorithm and no other public key algorithms. The evaluator will attempt to establish an SSH connection from the TOE to the SSH server and observe that the connection is rejected Verdict FCS_SSHC_EXT.1.5 TSS The evaluator will check the TSS to ensure that it lists the supported data integrity algorithms, and that that list corresponds to the list in this component Evaluator Findings The evaluator examined the TSS to ensure that it lists the supported data integrity algorithms. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that HMAC-SHA-1, HMAC-SHA2-256 and HMAC-SHA2-512 are supported by the TOE. This is consistent with the algorithms listed in FCS_SSHC_EXT.1.5. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.5 Guidance The evaluator will also check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed data integrity algorithms are used in SSH connections with the TOE (specifically, that the none MAC algorithm is not allowed) Evaluator Findings The evaluator examined the AGD to determine that any configuration that is required to be done to configure the functionality for the required modes and key sizes is present. Section 2 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that the product platform needs to be in FIPS mode in order to appropriately restrict ciphers and keys. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.5 Test 1 The evaluator will establish a SSH connection using each of the integrity algorithms specified by the requirement. It is sufficient to observe (on the wire) the successful negotiation of the algorithm to satisfy the intent of the test. 20

21 Verdict FCS_SSHC_EXT.1.5 Test 2 The evaluator will configure an SSH server to only allow the none MAC algorithm. The evaluator will attempt to connect from the TOE to the SSH server and observe that the attempt fails Verdict FCS_SSHC_EXT.1.5 Test 3 The evaluator will configure an SSH server to only allow the hmac- md5 MAC algorithm. The evaluator will attempt to connect from the TOE to the SSH server and observe that the attempt fails Verdict FCS_SSHC_EXT.1.6 TSS The evaluator will check the TSS to ensure that it lists the supported key exchange algorithms, and that that list corresponds to the list in this component Evaluator Findings The evaluator examined the TSS to determine if it lists the supported key exchange algorithms. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that DH-Group14-SHA1 is the only supported key exchange algorithm. This is consistent with FCS_SSHC_EXT.1.6 in the ST. Based on this the assurance activity is considered satisfied Verdict FCS_SSHC_EXT.1.6 Guidance The evaluator will also check the guidance documentation to ensure that it contains instructions to the administrator on how to ensure that only the allowed key exchange algorithms are used in SSH connections with the TOE Evaluator Findings The evaluator examined the AGD to determine that any configuration that is required to be done to configure the functionality for the required modes and key sizes is present. Section 2 of the AGD was used to determine the verdict of this assurance activity. The evaluator found that the product platform needs to be in FIPS mode in order to appropriately restrict ciphers and keys. Based on this the assurance activity is considered satisfied Verdict 21

22 FCS_SSHC_EXT.1.6 Test 1 The evaluator will configure an SSH server to permit all allowed key exchange methods. The evaluator will attempt to connect from the TOE to the SSH server using each allowed key exchange method, and observe that each attempt succeeds Verdict FCS_SSHC_EXT.1.7 Test 1 The evaluator will configure an SSH server to create a log entry when a rekey occurs. The evaluator will connect to an SSH server with the TOE and cause a rekey to occur according to the selection(s) in the ST, and subsequently review the audit log to ensure that a rekey occurred Verdict FCS_SSHC_EXT.1.8 Test 1 The evaluator will delete all entries in the TOE s list of recognized SSH server host keys and, if selected, all entries in the TOE s list of trusted certification authorities. The evaluator will initiate a connection from the TOE to an SSH server. The evaluator shall ensure that the TOE either rejects the connection or displays the SSH server s public key (either the key bytes themselves or a hash of the key using any allowed hash algorithm) and prompts the user to accept or deny the key before continuing the connection Verdict FCS_SSHC_EXT.1.8 Test 2 The evaluator will add an entry associating a host name with a public key into the TOE s local database. The evaluator will replace, on the corresponding SSH server, the server s host key with a different host key. The evaluator will initiate a connection from the TOE to the SSH server using password-based authentication, shall ensure that the TOE rejects the connection, and shall ensure that the password was not transmitted to the SSH server (for example, by instrumenting the SSH server with a debugging capability to output received passwords) Verdict 4.2 Test Cases (User Data Protection) FDP_DEC_EXT.1.1 Test 1 The evaluator shall install and run the application and inspect its user documentation to verify that the user is informed of any need to access hardware resources. The method of doing so varies per platform. For Windows Desktop Applications the evaluator shall verify that either the application or the documentation provide the user with a list of the required hardware resources. 22

23 Verdict FDP_DEC_EXT.1.2 Test 1 The evaluator shall ensure that the selection captures all sensitive information repositories which the application is intended to access. The evaluator shall install and run the application software and inspect its user documentation to verify that the user is informed of any need to access these repositories. The method of doing so varies per platform. The evaluator shall verify that either the application software or its documentation provides the user with a list of the required sensitive information repositories Verdict FDP_NET_EXT.1.1 Test 1 The evaluator shall run the application. While the application is running, the evaluator shall sniff network traffic ignoring all non- application associated traffic and verify that any network communications witnessed are documented in the TSS or are user initiated Verdict FDP_NET_EXT.1.1 Test 2 The evaluator shall run the application. After the application initializes, the evaluator shall run network port scans to verify that any ports opened by the application have been captured in the ST for the third selection and its assignment. This includes connection-based protocols (e.g. TCP, DCCP) as well as connectionless protocols (e.g. UDP) Verdict FDP_DAR_EXT.1.1 Test 1 The Windows platform currently does not provide data-at-rest encryption services which depend upon invocation by application developers. The evaluator shall verify that the Operational User Guidance makes the need to activate platform encryption, such as BitLocker or Encrypting File System (EFS), clear to the end user Evaluator Findings The evaluator examined the AGD to determine if the need to activate platform encryption is made clear to the end user. Section 2 of the AGD (Platform Configuration) was used to determine the verdict of this assurance activity. The evaluator found that the AGD requires Bitlocker to be used if data at rest protection requirements are to be met. Based on this the assurance activity is considered satisfied Verdict 23

24 4.3 Test Cases (Identification and Authentication) FIA_X509_EXT.1.1 TSS (Selection Based Requirement) The evaluator shall ensure the TSS describes where the check of validity of the certificates takes place. The evaluator ensures the TSS also provides a description of the certificate path validation algorithm Evaluator Findings The evaluator examined the TSS to determine that it describes where the check of validity of the certificates takes place. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that certificate validation is performed by the Windows platform in conformance to RFC5280. Based on this the assurance activity is considered satisfied Verdict FIA_X509_EXT.1.1 Test 1 (Selection Based Requirement) The evaluator shall demonstrate that validating a certificate without a valid certification path results in the function failing. The evaluator shall then load a certificate or certificates as trusted CAs needed to validate the certificate to be used in the function, and demonstrate that the function succeeds. The evaluator shall then delete one of the certificates, and show that the function fails Verdict FIA_X509_EXT.1.1 Test 2 (Selection Based Requirement) The evaluator shall demonstrate that validating an expired certificate results in the function failing Verdict FIA_X509_EXT.1.1 Test 3 (Selection Based Requirement) The evaluator shall test that the TOE can properly handle revoked certificates- conditional on whether CRL or OCSP is selected; if both are selected, then a test shall be performed for each method. The evaluator shall test revocation of the node certificate and revocation of the intermediate CA certificate (i.e. the intermediate CA certificate should be revoked by the root CA). The evaluator shall ensure that a valid certificate is used, and that the validation function succeeds. The evaluator then attempts the test with a certificate that has been revoked (for each method chosen in the selection) to ensure when the certificate is no longer valid that the validation function fails Verdict 24

25 4.3.5 FIA_X509_EXT.1.1 Test 4 (Selection Based Requirement) If OCSP is selected, the evaluator shall configure the OCSP server or use a man-in-the-middle tool to present a certificate that does not have the OCSP signing purpose and verify that validation of the OCSP response fails. If CRL is selected, the evaluator shall configure the CA to sign a CRL with a certificate that does not have the crlsign key usage bit set, and verify that validation of the CRL fails Verdict N/A FIA_X509_EXT.1.1 Test 5 (Selection Based Requirement) The evaluator shall modify any byte in the first eight bytes ofthe certificate and demonstrate that the certificate fails to validate. (The certificate will fail to parse correctly.) Verdict FIA_X509_EXT.1.1 Test 6 (Selection Based Requirement) The evaluator shall modify any byte in the last byte of the certificate and demonstrate that the certificate fails to validate. (The signature on the certificate will not validate.) Verdict FIA_X509_EXT.1.1 Test 7 (Selection Based Requirement) The evaluator shall modify any byte in the public key of the certificate and demonstrate that the certificate fails to validate. (The signature on the certificate will not validate.) Verdict FIA_X509_EXT.1.2 Test 1 (Selection Based Requirement) The evaluator shall construct a certificate path, such that the certificate of the CA issuing the TOE's certificate does not contain the basicconstraints extension. The validation of the certificate path fails Verdict FIA_X509_EXT.1.2 Test 2 (Selection Based Requirement) The evaluator shall construct a certificate path, such that the certificate of the CA issuing the TOE's certificate has the CA flag in the basicconstraints extension not set. The validation of the certificate path fails Verdict 25

26 FIA_X509_EXT.1.2 Test 3 (Selection Based Requirement) The evaluator shall construct a certificate path, such that the certificate of the CA issuing the TOE's certificate has the CA flag in the basicconstraints extension set to TRUE. The validation ofthe certificate path succeeds Verdict 4.4 Test Cases (Security Management) FMT_MEC_EXT.1.1 TSS The evaluator shall review the TSS to identify the application's configuration options (e.g. settings) and determine whether these are stored and set using the mechanisms supported by the platform. At a minimum the TSS shall list settings related to any SFRs and any settings that are mandated in the operational guidance in response to an SFR Evaluator Findings The evaluator examined the TSS to determine the application s configuration options that are stored and set using the platform. The evaluator found that no such options are set or stored using platform mechanisms. Based on this the assurance activity is considered satisfied Verdict FMT_MEC_EXT.1.1 Test 1 The evaluator shall review the TSS to identify the application's configuration options (e.g. settings) and determine whether these are stored and set using the mechanisms supported by the platform. The method of doing so varies per platform. For Classic Desktop applications, the evaluator shall run the application while monitoring it with the SysInternal tool ProcMon and make changes to its configuration. The evaluator shall verify that ProcMon logs show corresponding changes to the the Windows Registry Verdict FMT_CFG_EXT.1.1 TSS The evaluator shall check the TSS to determine if the application requires any type of credentials and if the applications installs with default credentials Evaluator Findings The evaluator examined the TSS to determine if the application requires any credentials and if it installs with default credentials. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the program installs with default credentials which must be changed after initial installation. Based on this the evaluation is considered satisfied Verdict 26

27 4.4.4 FMT_CFG_EXT.1.1 Test 1 The evaluator shall install and run the application without generating or loading new credentials and verify that only the minimal application functionality required to set new credentials is available Verdict FMT_CFG_EXT.1.1 Test 2 The evaluator shall attempt to clear all credentials and verify that only the minimal application functionality required to set new credentials is available Verdict FMT_CFG_EXT.1.1 Test 3 The evaluator shall run the application, establish new credentials and verify that the original default credentials no longer provide access to the application Verdict FMT_CFG_EXT.1.2 Test 1 The evaluator shall run the SysInternals tools, Process Monitor and Access Check (or tools of equivalent capability, like icacls.exe) for Classic Desktop applications to verify that files written to disk during an applications installation have the correct file permissions, such that a standard user cannot modify the application or its data files Verdict FMT_SMF.1.1 Guidance The evaluator shall verify that every management function mandated by the PP is described in the operational guidance and that the description contains the information required to perform the management duties associated with the management function Evaluator Findings The evaluator examined the ST to determine what management functions are mandated by the PP. According to FMT_SMF.1 there are no management functions that the TSF must be able to perform. Because of this there are no functions that must be described in the guidance and the assurance activity is considered satisfied Verdict 4.5 Test Cases (Protection of the TSF) FPT_API_EXT.1.1 TSS The evaluator shall verify that the TSS lists the platform APIs used in the application. The evaluator shall then compare the list with the supported APIs (available through 27

28 e.g. developer accounts, platform developer groups) and ensure that all APIs listed in the TSS are supported Evaluator Findings The evaluator examined the TSS to determine if the platform APIs used in the application are listed. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that Microsoft.Net is used by the TOE. The underlying cryptographic modules called this way are also described. This listing is consistent with what Microsoft describes in their documentation at Based on this the assurance activity is considered satisfied Verdict FPT_AEX_EXT.1.1 TSS The evaluator shall ensure that the TSS describes the compiler flags used to enable ASLR when the application is compiled Evaluator Findings The evaluator examined the TSS to determine if it describes the compiler flags used to enable ASLR. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that the use of compiler flags is not necessary in.net code, and ASLR is automatically enabled. Based on this the assurance activity is considered satisfied Verdict FPT_AEX_EXT.1.1 Test 1 The evaluator shall ensure that the TSS describes the compiler flags used to enable ASLR when the application is compiled. The evaluator shall perform either a static or dynamic analysis to determine that no memory mappings are placed at an explicit and consistent address. The method of doing so varies per platform. For Windows: The evaluator shall run the same application on two different Windows systems and run a tool that will list all memory mapped addresses for the application. The evaluator shall then verify the two different instances share no mapping locations. The Microsoft sysinternals tool, VMMap, could be used to view memory addresses of a running application. The evaluator shall use a tool such as Microsoft's BinScope Binary Analyzer to confirm that the application has ASLR enabled Verdict FPT_AEX_EXT.1.2 Test 1 The evaluator shall verify that no memory mapping requests are made with write and execute permissions. The method of doing so varies per platform. For Windows: The evaluator shall use a tool such as Microsoft's BinScope Binary Analyzer to confirm that the application passes the NXCheck. The evaluator may also 28

29 ensure that the /NXCOMPAT flag was used during compilation to verify that DEP protections are enabled for the application Verdict FPT_AEX_EXT.1.4 Test 1 The evaluator shall run the application and determine where it writes its files. For files where the user does not choose the destination, the evaluator shall check whether the destination directory contains executable files. This varies per platform: For Windows: For Windows Store Apps the evaluator shall consider the requirement met because the platform forces applications to write all data within the application working directory (sandbox). For Windows Desktop Applications the evaluator shall run the program, mimicking normal usage, and note where all files are written. The evaluator shall ensure that there are no executable files stored in the same directories to which the application wrote and no data files in the application s install directory Verdict FPT_AEX_EXT.1.5 TSS The evaluator shall ensure that the TSS section of the ST describes the compiler flag used to enable stack-based buffer overflow protection in the application Evaluator Findings The evaluator examined the TSS to determine if it describes the compiled flag used to enable stack-based buffer overflow protection. Section 6 of the ST was used to determine the verdict of this assurance activity. The evaluator found that this requirement is not directly applicable to the TOE. Because of the TOE s use of managed code stack-based buffer overflows result in an exception being thrown by the common language runtime. Based on this the assurance activity is considered satisfied Verdict FPT_AEX_EXT.1.5 Test 1 The evaluator shall ensure that the TSS section of the ST describes the compiler flag used to enable stack-based buffer overflow protection in the application. The evaluator shall perform a static analysis to verify that stack-based buffer overflow protection is present. The method of doing so varies per platform: For Windows: The evaluator shall review the TSS and verify that the /GS flag was used during compilation. The evaluator shall run a tool, like BinScope, that can verify the correct usage of /GS Verdict FPT_TUD_EXT.1.2 Test 1 The evaluator shall verify that application updates are distributed in the format supported by the platform. This varies per platform: 29