NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - KeyW BlackBerry Suite B Data at Rest, Version 1.2.2.1

Certificate Date:  2017.08.08

Validation Report Number:  CCEVS-VR-VID10801-2017

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Extended Package for Software File Encryption Version 1.0
  Protection Profile for Application Software Version 1.2

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The KeyW BlackBerry Suite B Data at Rest application (i.e., the TOE) is a file encryption tool that runs on a BlackBerry 10.3 mobile device.  The BlackBerry Advanced Data at Rest Protection (ADARP) relays all operations on files within the BlackBerry work space to the TOE, which encrypts or decrypts the file contents automatically.  The TOE runs as a BlackBerry required application, meaning the BlackBerry operating system will ensure that the mobile device features are available only when the TOE is running. 

The TOE utilizes the BlackBerry 10.3 operating system for storage of passwords, keys and for Deterministic Random Bit Generation (DRBG).  However, the TOE implements its own encryption, decryption, and keyed-Hashing functions, which have been certified through CAVP.


Evaluated Configuration

The KeyW BlackBerry Suite B Data at Rest TOE is also known as KEYWprotect.  The TOE provides an AES-based Data at Rest (DAR) encryption model that is used to encrypt the BlackBerry work space data when BlackBerry 10.3 mobile devices are unlocked including encrypting data received when the BlackBerry work space is locked.  The TOE is an application on the BlackBerry 10.3 mobile device.  The TOE runs on the following evaluated BlackBerry models.

Device

Processor

Classic

Qualcomm S4 (MSM8960)

Passport

Qualcomm Snapdragon 801

Leap

Qualcomm S4 (MSM8960)

Z30

Qualcomm S4 (MSM8960)

Q10 Porsche

Qualcomm S4 (MSM8960)

Q10

Qualcomm S4 (MSM8960)

Z10 Porsche

Qualcomm S4 (MSM8960)

Z10

Qualcomm S4 (MSM8960)

 

The TOE utilizes BlackBerry Advanced Data at Rest Protection (ADARP) features to relay all file operations within the BlackBerry work space when the BlackBerry 10.3 mobile device is in the unlocked and locked states.  When the BlackBerry 10.3 mobile device is unlocked, all BlackBerry work space data created by other applications is automatically encrypted by the TOE and stored in the BlackBerry work space via the BlackBerry File System (FSYS) Relay API feature.  When the BlackBerry 10.3 mobile device is locked, all BlackBerry work space data received by other applications is automatically encrypted by the TOE and stored in the BlackBerry work space via the BlackBerry Data Lock Queue (DLQ) Relay API feature.  Encrypted work space data is decrypted as needed only after a user presents valid authentication factors.  Therefore, no clear text is ever written to the BlackBerry work space file system.


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012.  The product, when delivered and configured as identified in the KeyW BB10 Suite B Data at Rest v1.2.2.1 User Guide, Version 1.1, July 21, 2017 document, satisfies all of the security functional requirements stated in the KeyW BlackBerry Suite B Data at Rest, Version 1.2.2.1 (ASPP12/ASFEEP10) Security Target, Version 1.0, August 7, 2017.  The project underwent CCEVS Validator review.  The evaluation was completed in August 2017.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-10801-2017) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the KeyW BlackBerry Suite B Data at Rest, Version 1.2.2.1 are realized in the security functions that it implements. Each of these security functions is summarized below.

Cryptographic support - The TOE operates on a BlackBerry 10.3 mobile device and uses features provided by the platform for key storage, user credential storage, and Deterministic Random Bit Generation (DRBG).  The TOE implements its own algorithms for AES, Key Wrapping, key-based and password-based Key Derivation, Key Establishment, cryptographic hashing and keyed-hashing.

User data protection - The TOE protects user data by providing an integrated file encryption and file data authentication capability that automatically encrypts new files and decrypts files upon user demand.  The TOE utilizes 256-bit AES encryption for confidentiality and HMAC-SHA-384 for file data integrity.

Identification and authentication - The TOE authenticates a user by requiring a password before any file data decryption operation is initiated.  Without the correct password, the user is unable to decrypt the keys necessary to obtain clear text data from the BlackBerry work space file system.

Security management - The TOE supports encryption while in the locked state, but does not allow decryption or integrity operations until the user authenticates to the device upon first use of the TOE.  The TOE allows the user to change their password for management purposes. 

Protection of the TSF - The TOE relies on the physical boundary of the evaluated platform as well as the BlackBerry 10.3 operating system for the protection of the TOE’s application components.

Updates to the TOE are handled by the BlackBerry Enterprise Services (BES) management software. 

Trusted path/channels - The TOE does not transmit any data between itself and another network entity. All of the data managed by the TOE resides on the evaluated platform (BlackBerry 10.3).


Vendor Information

Logo
KeyW Corporation
Kristan Pam
410-904-5200
410-799-3479
kpam@keywcorp.com

https://www.keywcorp.com
Site Map              Contact Us              Home