Korean National Protection Profile for Single Sign On V1.0 Certification Report

Similar documents
Korean National Protection Profile for Electronic Document Encryption V1.0 Certification Report

Firewall Protection Profile V2.0 Certification Report

FED 5. Certification Report

Certification Report - Protection Profile Encrypted Storage Device

Certification Report - Secure Messages Protection Profile

BSI-CC-PP for. FIDO Universal Second Factor (U2F) Authenticator, Version 1.0. developed by. Federal Office for Information Security

BSI-CC-PP-0088-V for

BSI-CC-PP for

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

BSI-CC-PP for. Java Card Protection Profile - Open Configuration, Version December developed by. Oracle Corporation

Smart TV Security Solution V2.0 for Samsung Knox. Certification Report

Network Intrusion Prevention System Protection Profile V1.1 Certification Report

National Information Assurance Partnership

BSI-CC-PP for

Mobiledesk VPN v1.0 Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

CC and CEM addenda. Modular PP. March Version 1.0 CCDB

Smart TV Security Solution V3.0 for Samsung Knox. Certification Report

Certification Report

Certification Report

National Information Assurance Partnership

Certification Report

Certification Report

AhnLab TrusGuard V2.2 Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

National Information Assurance Partnership

COMMON CRITERIA CERTIFICATION REPORT

CC and CEM addenda. Exact Conformance, Selection-Based SFRs, Optional SFRs. May Version 0.5. CCDB xxx

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Certification Report

Certification Report

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

Australasian Information Security Evaluation Program

Assurance Continuity Maintenance Report

Australasian Information Security Evaluation Program (AISEP)

Certification Report

BSI-CC-PP for. Biometric Verification Mechanisms Protection Profile Version 1.3. from. Bundesamt für Sicherheit in der Informationstechnik

Certification Report

Certification Report. EAL 4+ (ALC_DVS.2) Evaluation of TÜBİTAK BİLGEM UEKAE. AKİS v1.4i PASAPORT

COMMON CRITERIA CERTIFICATION REPORT

Samsung Multifunction ProXpress M4580, M4583 Series Certification Report

RedCastle v3.0 for Asianux Server 3 Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Certification Report

Assurance Continuity Maintenance Report

Certification Report

Trust Technology Assessment Program. Validation Report. Peripheral Sharing Switch (PSS) for Human Interface Devices Protection Profile Version 1.

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report

Assurance Continuity Maintenance Report

SERTIT-014 CR Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Brocade FastIron SX, ICX, and FCX Series Switch/Router

Certification Report

COMMON CRITERIA CERTIFICATION REPORT

Certification Report

SPass NX V1.0 on S3CT9KW/S3CT9KC/S3CT9K9 Certification Report

IT Security Evaluation and Certification Scheme Document

BSI-CC-PP for. Common Criteria Protection Profile Electronic Identity Card (ID_Card PP), Version from

COMMON CRITERIA CERTIFICATION REPORT

Assurance Continuity Maintenance Report

BSI-CC-PP for. Portable Storage Media Protection Profile (PSMPP), Version 1.0. from. Federal Office for Information Security

Cisco IoT Industrial Ethernet and Connected Grid Switches running IOS

Certification Report

Certification Report

Transcription:

KECS-CR-17-58 Korean National Protection Profile for Single Sign On V1.0 Certification Report Certification No.: KECS-PP-0822-2017 2017. 8. 18 IT Security Certification Center

History of Creation and Revision No. Date Revised Pages 00 2017.08.18 - Description Certification report for Korean National Protection Profile for Single Sign On V1.0 - First documentation Certification Report Page 2

This document is the certification report for Korean National Protection Profile for Single Sign On V1.0 of National Security Research Institute (NSR) and Telecommunications Technology Association (TTA). The Certification Body IT Security Certification Center (ITSCC) The Evaluation Facility Telecommunications Technology Association (TTA) Certification Report Page 3

Table of Contents Certification Report... 1 1. Executive Summary... 5 2. Identification... 6 3. Security Policy... 7 4. Assumptions and Clarification of Scope... 7 5. Results of the Evaluation... 8 5.1 Protection Profile Evaluation (APE)... 8 5.2 Evaluation Result Summary... 8 6. Recommendations... 9 7. Acronyms and Glossary... 9 8. Bibliography... 10 Certification Report Page 4

1. Executive Summary This report describes the certification result drawn by the certification body on the results of the APE evaluation of Korean National Protection Profile for Single Sign On V1.0 ( PP hereinafter) [1] with reference to the Common Criteria for Information Technology Security Evaluation ( CC hereinafter) [2]. It describes the evaluation result and its soundness and conformity. The authors of the PP [1] are National Security Research Institute (NSR) and Telecommunications Technology Association (TTA). The Target of Evaluation (TOE) in the PP [1] is the Single Sign On (SSO) designed to enables the user to access various business system in the organization through a single user login based on the authentication token. Also, the TOE shall provide a variety of security features: security audit, the user identification and authentication including mutual authentication between TOE components, security management, the TOE access session management, and the TSF protection function, etc.. In addition, the TOE shall provide cryptographic support functions including the cryptographic key management and cryptographic operation for the authentication token. These TOE Security Functional Requirements (SFRs) are outlined in the PP [1]. The evaluation of the PP [1] has been carried out by Telecommunications Technology Association (TTA) and completed on 13 June 2017. This report grounds on the evaluation technical report (ETR) TTA had submitted [6]. The evaluation of the PP [1] was performed in accordance with the APE (Protection Profile Evaluation) requirements in CC Part 3 and the Common Methodology for Information Technology Security Evaluation ( CEM hereinafter) [3]. The PP [1] does not claim conformance to any other Protection Profile. All Security Requirements (SARs) in the PP [1] are based only upon assurance component in CC Part 3, and the assurance package is EAL1 augmented by ATE_FUN.1. Therefore the PP [1] is CC Part 3 conformant. The Security Functional Requirements (SFRs) are based upon both functional components in CC Part 2 and newly defined components in the Extended component definition chapter of the PP [1]. Therefore the PP [1] is CC Part 2 extended. The PP [1] requires strict conformance. The operational environment of the Single Sign On is as shown in [Figure 1]. Certification Report Page 5

[Figure 1] Operational environment of SSO Certification Validity: The certificate is not an endorsement of the Protection Profile by ITSCC or by any other organization that recognizes or gives effect to this certificate, and no warranty of the Protection Profile by ITSCC or by any other organization recognizes or gives effect to the certificate, is either expressed or implied. 2. Identification [Table 1] summarizes identification information for scheme, developer, sponsor, evaluation facility, certification body, etc.. Scheme Korea Evaluation and Certification Guidelines for IT Security (27 June 2016) Korea Evaluation and Certification Scheme for IT Security (26 June 2017) Certification Report Page 6

Name and Version of the Certified Protection Profile Korean National Protection Profile for Single Sign On V1.0 Common Criteria Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-001 ~ CCMB-2017-04-003, April 2017 Common Methodology Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-004, April 2017 EAL EAL1+ (augmented by ATE_FUN.1) Developer National Security Research Institute (NSR) Telecommunications Technology Association (TTA) Sponsor National Security Research Institute (NSR) Evaluation Facility Telecommunications Technology Association (TTA) Completion Date of Evaluation 13 June 2017 Certification No. KECS-PP-0822-2017 Certification Body IT Security Certification Center (ITSCC) [Table 1] Identification information 3. Security Policy The PP [1] has reduced content of a low assurance PP, thus the PP [1] does not have any explicit security problem definition (i.e., threats, organisational security policies, and/or assumptions) and security objectives for the TOE. The TOE defined in the PP [1] provides security features in accordance with the SFRs. Refer to the PP [1] chapter 5 for details. 4. Assumptions and Clarification of Scope The PP [1] has reduced content of a low assurance PP, thus the PP [1] does not have any explicit assumptions. The TOE defined in the PP [1] is the Single Sign On. Certification Report Page 7

5. Results of the Evaluation The PP [1] claims EAL1+ (ATE_FUN.1), thus has reduced content of a low assurance PP. The evaluation facility provided the evaluation result in the ETR [6] which references a Single Evaluation Report for APE requirements and Observation Reports. The evaluation result was based on the CC [2] and CEM [3]. As a result of the evaluation, the verdict PASS is assigned to all assurance components of APE. 5.1 Protection Profile Evaluation (APE) The PP Introduction correctly identifies the PP, and the PP reference and the TOE overview are consistent with each other. Therefore the verdict PASS is assigned to APE_INT.1. The Conformance Claim properly describes how the PP conforms to the CC and packages. Therefore the verdict PASS is assigned to APE_CCL.1. The Security Objectives for the operational environment from the PP is clearly defined. Therefore the verdict PASS is assigned to APE_OBJ.1. The Extended Components Definition has been clearly and unambiguously defined, and it is necessary. Therefore the verdict PASS is assigned to APE_ECD.1. The Security Requirements is defined clearly and unambiguously, and it is internally consistent. Therefore the verdict PASS is assigned to APE_REQ.1. Thus, the PP is sound and internally consistent, and suitable to be used as the basis for writing a low-assurance ST or another low-assurance PP. The verdict PASS is assigned to the assurance class APE. 5.2 Evaluation Result Summary Class Component Evaluator Action Elements Evaluator Action Elements Verdict Component Class APE APE_INT.1 APE_INT.1.1E PASS PASS PASS APE_CCL.1 APE_CCL.1.1E PASS PASS Certification Report Page 8

Class Component Evaluator Action Elements Evaluator Action Elements Verdict Component Class APE_OBJ.1 APE_OBJ.1.1E PASS PASS APE_ECD.1 APE_ECD.1.1E PASS PASS APE_ECD.1.2E PASS APE_REQ.1 APE_REQ.1.1E PASS PASS [Table 2] Evaluation Result Summary 6. Recommendations The PP [1] defines the minimum security requirements for Single Sign On, and requires an ST or another PP claiming this PP [1] to fulfill the CC requirements for strict conformance, but only a low-assurance ST is allowed to make a conformance to the PP [1]. If the TOE defined in the ST which claims conformance to the PP [1] implements additional security features, then it is strongly recommended the ST author to define additional security functional requirements in accordance with the TOE implementation. 7. Acronyms and Glossary CC EAL ETR PP SAR SFR ST TOE TSF Common Criteria Evaluation Level Evaluation Technical Report Protection Profile Security Requirement Security Functional Requirement Security Target Target of Evaluation TOE Security Functionality Certification Report Page 9

8. Bibliography The certification body has used following documents to produce this report. [1] Korean National Protection Profile for Single Sign On V1.0 [2] Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-001 ~ CCMB-2017-04-003, April 2017 - Part 1: Introduction and general model - Part 2: Security functional components - Part 3: Security assurance components [3] Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5, CCMB-2017-04-004, April 2017 [4] Korea Evaluation and Certification Guidelines for IT Security (27 June 2016) [5] Korea Evaluation and Certification Scheme for IT Security (26 June 2017) [6] TTA-CCE-16-035 Korean National Protection Profile for Single Sign On V1.0 Evaluation Technical Report V1.5, 13 June 2017 Certification Report Page 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback