Compliant Product - Enveil ZeroReveal™ Compute Fabric Client v2.5.4
Certificate Date: 2021.06.02CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11136-2021
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.3
CC Testing Lab: Acumen Security
The Target of Evaluation (TOE) is Enveil ZeroReveal™ Compute Fabric Client v2.5.4 and has been evaluated on the CentOS 8.1 on the Intel Core i7-10710U host platform. The TOE is the application software and required libraries only. The host platforms are not part of the evaluation. The TOE supports secure connectivity with several other IT environment devices as described in Table 1 IT Environments Components.
The TOE has been evaluated on the following host platforms:
- CentOS 8.1 on Intel Core i7-10710U
Note: The TOE is the application software and required libraries only. The host platforms are not part of the evaluation.
The TOE supports secure connectivity with several other IT environment devices as described below:
Table 1 IT Environment Components
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Enveil ZeroReveal® Compute Fabric Client v2.5.4 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the ZeroReveal Compute Fabric Configuration Guide for Common Criteria v2.5.4, satisfies all of the security functional requirements stated in the Enveil ZeroReveal® Compute Fabric Client Security Target. The project underwent CCEVS Validator review. The evaluation was completed in May 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE provides the security functionality required by [SWAPP] and [TLS-PKG].
3.1 Cryptographic Support
The TOE performs two kinds of cryptographic functions: those necessary to the operation of the TOEs homomorphic encrypted search function, and those necessary to the operation of the trusted path and trusted channels. Because the homomorphic encryption functionality is outside the scope of this evaluation, only those cryptographic functions necessary to support the trusted path and trusted channels are described below:
Table 2 TOE Provided Cryptography
Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below:
Table 3 CAVP Algorithm Testing References
3.2 User Data Protection
The ZeroReveal Client network communication is restricted to user-initiated communication for authentication via LDAP directory, responses to API requests, and initiation of communications with the ZeroReveal Server.
3.3 Identification and Authentication
The ZeroReveal client relies on X.509v3 certificate validation functions provided by the platform to authenticate the certificate(s) during the establishment of the TLS trusted channel. All trusted paths and channels are first authenticated using X.509v3 certificates.
Individual users are authenticated to the TOE by X.509v3 certificate during TLS with mutual authentication trusted channel establishment and by authentication via LDAP server (the first shows that the user is authorized to communicate with the TOE at all, the second shows that the user is authorized to run queries using the TOE).
3.4 Security Management
An enterprise administrator manages the TOE via configuration files on each installation workstation or platform in the Operational Environment. There is no management GUI, CLI, or interface to manage the TOE over the network.
The TOE does not include any predefined or default credentials and utilizes the platform recommended storage process for configured credentials in the TOE’s configuration files.
The TOE does not collect or transmit Personally Identifiable Information (PII) over the network.
3.6 Protection of the TSF
The TOE leverages platform provided package management for secure installation and updates. The TOE installation package includes only those third-party libraries necessary for its intended operation. The TOE utilizes compiler-provided anti-exploitation capabilities.
3.7 Trusted Path/Channels
The TOE communicates to the ZeroReveal® Compute Fabric Server via REST API over mutually authenticated TLS. The TOE communicates to the LDAP server via mutually authenticated TLS. Users communicate with the TOE through the REST API over HTTPS/TLS.