Validated Product - GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1

Certificate Date: 18 December 2008

Validation Report Number: CCEVS-VR-VID10003-2008

Product Type: Sensitive Data Protection

Conformance Claim: EAL4 Augmented with ALC_FLR.3

PP Identifiers: None

CC Testing Lab: CygnaCom Solutions, Inc

Security Target [PDF]
Validation Report [PDF]
CC Certificate [PDF]

PRODUCT DESCRIPTION

The GuardianEdge Platform provides transparent encryption services for hard disks and removable storage devices on computers running Windows XP, Windows 2000, and Windows Vista. It employs full disk encryption, pre-boot authentication, and on-the-fly disk decryption/encryption at the device driver level to provide complete protection of data on Windows-based notebook and desktop systems. It also protects information on removable storage devices such as USB flash drives.

The GuardianEdge Platform protects data at rest on the hard disk and on removable devices from unauthorized access. The GuardianEdge Platform uses its own FIPS 140-2 (Level 1, Validated crypto module, Certificate No. 515) validated cryptographic library to perform the cryptographic operations necessary to protect data, support authentication, and self-protect against tampering or bypass. The product uses Advanced Encryption Standard (AES) in Cipher Block Chaining (CBC) mode with 256-bit keys to perform bulk encryption on administrator-specified partitions of hard disks and removable storage devices on a Client Computer.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. GuardianEdge Data Protection Framework 9.0.1 with GuardianEdge Hard Disk Encryption 9.0.1 and GuardianEdge Removable Storage Encryption 3.0.1 software was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL4 augmented with ALC_FLR.3. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in November 2008.

For this evaluation, it was appropriate for the Security Target to claim compliance with the external standard for Elliptical Curve Cryptography for the definition of the encryption algorithm. There are many ways of determining compliance with a standard. The GuardianEdge Platform has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.

ENVIRONMENTAL STRENGTHS

The following security functions are in the scope of the evaluation:

  1. Audit—The TOE auditing service generates audit records into the Windows system event log of the Client Computer operating system. It captures security events related to use of the authentication mechanism, initial encryption activity, and the startup and shutdown of the TOE client. The TOE auditing service is automatically started with the start-up of the TOE client, and there is no interface to turn off the audit mechanism and no interface to change the security events being audited.
    • The OS to protect the Windows system event log to ensure it’s protected from unauthorized deletion and modification.
    • The platform to provide reliable time when required to ensure the audit records have meaningful timestamps.
    • The OS to provide an interface to view the audit records in the Windows system event log.

    2. The audit function requires the following support from the TOE’s IT environment:

  2. Data protection—The TOE uses its FIPS140-2 cryptographic functions, described below, to ensure all data on the hard disk partitions, as designated by an administrator, is protected by encryption when not in use (i.e., at rest). Except for the GEFS files (to bootstrap the system), the encryption covers all the data on the selected hard disk partitions, including system files, e.g., Windows operating system files, registry, swap files, hibernation files, paging files. A per computer key is used to encrypt all data on the hard disk; this key is called the Workstation Encryption Key (WEK).

    The data protection function also ensures the data is available when requested and that both the encryption process (to protect the data when at rest) and the decryption process (to make the data available to registered users) is done transparently to the user, referred to as on-the-fly decryption/encryption. This transparent operation ensures enforcement and doesn’t rely on users activating the function.

    Data on removable storage devices is encrypted on a per file basis. Files are automatically encrypted when written to the device. Encrypted files are decrypted when accessed and encrypted when written.  Depending on the configuration, pre-existing plaintext files may be either automatically encrypted, or left as plaintext.  The evaluated configuration is for pre-existing files to be left in plaintext. A per file key is used to encrypt files on removable storage devices; this key is called the File Encryption Key (FEK).

  3. Cryptographic Services—The TOE includes cryptographic libraries that provide cryptographic support for the following security functions:
    • Authentication process password check
    • Elliptic Curve Cryptography (ECC)
    • SHA-1

    New user registration

    • ECC
    • RNG

    4. Initial encryption and transparent decryption: AES in CBC mode.

    Self-tests and integrity checks: SHA-1 and CRC.

    The IT environment is only required to operate correctly to support the cryptographic services security function.

  4. Identification and Authentication—The TOE provides an identification and authentication (I&A) mechanism that requires all users to identify and authenticate themselves during the startup of the Client Computer, before the operating system is loaded and before users log on to their Windows accounts. This is referred to as pre-Windows authentication. In addition to the pre-Windows authentication requirement, the TOE also requires all users to log on again when accessing the GuardianEdge Client console.

    5. Supporting the password-based mechanism, the TOE obscures the password users enter on the TOE logon screens. It provides an authentication failure mechanism and password management options that defines parameters for acceptable passwords.

    The identification and authentication function depends on the operating system to identify and authenticate the Client Computer users after startup, and the platform to provide an accurate clock to measure one minute, the delay in the logon process for the authentication failure mechanism. As with all the security functions, it also requires the support provided as part of the Partial Self-Protection, described below, both in general and in particular for activating the TOE as part of the pre-Windows start-up process.

  5. Security Management—The TOE includes an administrative interface for Client Administrators to remove users, change passwords, and perform initial encryption on selected partitions. Registered users also use this interface to change their passwords. The GuardianEdge Platform in its evaluated configuration is designed to require minimum administration during normal operation. The Client Administrator, using the Client Console, is also able to verify the evaluated configuration settings. New users are added to the TOE through a self-registration process coordinated with the operating system logon for subsequent users after startup of the Client Computer.

    6. The IT environment is required to operate correctly to support this security function.

  6. Partial Self-Protection—Working in concert with its platform the TOE provides a security architecture and security mechanisms to ensure the TSF cannot be bypassed, corrupted, or otherwise compromised.

    7. The TOE relies on its platform for domain separation of TSF processes, for non?bypassability, for access controls on file protections, and for correct operation of the BIOS and media driver data processing.

  7. Access Banners—The TOE displays an advisory warning access banner as part of its logon screen. The banner and warning are defined by the Policy Administrator during the installation process.

Vendor Information


GuardianEdge Technologies Inc.
Marc Ferrie
415-683-2355
415-683-2349 (Fax)
mferrie@guardianedge.com

http://www.guardianedge.com/