Compliant Product - Cellcrypt Server
Certificate Date: 2022.04.25CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11207-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
PP-Module for Enterprise Session Controller (ESC) Version 1.0
CC Testing Lab: Acumen Security
Cellcrypt Server is a secure networking device providing a core set of services for the Cellcrypt communications network. The Cellcrypt network enables end-to-end encrypted multimedia communications between users of mobile and desktop computers. Secure multimedia services include:
• Voice and video (Realtime)
• Text messaging and voice notes (store-and-forward)
• File sharing (store-and-forward)
All network communications are encrypted and interoperability with third-party networks using standards-based Realtime and store-and-forward protocols (SIP/SRTP/XMPP).
The TOE consists of both a software and hardware components. The TOE Hardware is implemented as a rack-mounted server.
The TOE hardware consists of a Hewlett-Packard (HP) rack-mounted server with the following specifications:
Table 1: Hardware Specifications
The TOE software architecture, indicating the TOE logical boundary, is shown in Figure 1. Note that the TOE boundary encapsulates the entire Cellcrypt Server and includes the operating system Red Hat Enterprise Linux 7.6 64-bit OS (RHEL 7.6).
The network services shown in Figure 1 are described in more detail below. The web proxy (nginx) provides TLS services for the HTTPS virtual hosts using the CCoreV4 module. The other TLS hosts use CCoreV4 directly for TLS services. Command shell access is protected with SSH also using the CCoreV4 crypto algorithms. This provides a consistent secure network interface for the TOE. CCoreV4 is a FIPS 140-2 validated crypto module with its own validated DRBG receiving seeding from the Intel RDSEED instruction. ECS and the Secure Gateway provide media conferencing services protected by SRTP. The media relay is simply a TURN service facilitating SRTP media to traverse NAT routers. The AIDE Intrusion Detection System (IDS) monitors the file system to detect external hacking.
The SIP server provides the main ESC service facilitating all secure voice/video calls by connecting calls and signalling call progress/status using the SIP protocol in accordance with RFC 3261. In addition to normal SIP calling services, SDES key management is handled via the SIP server. The SDES key exchange occurs in the Session Description Protocol (SDP) in accordance with RFC 4566.
Enterprise Management Portal (EMP)
The Enterprise Management Portal provides a secure web application for Enterprise clients to manage their users. Licenses can be purchased, assigned to users and features can be enabled or disabled for users within the Enterprise group. The Enterprise Management Portal provides advanced control of the Cellcrypt user’s devices, providing features such as remote wipe, and information about the user's device, such as operating system and version.
The MY server is a user-oriented web service, allowing users to manage things like changing passwords, adding devices to the same account, etc. This service may be limited to administrator-only usage.
The API server is a web service mainly facilitating secure Suite B messaging. All Cellcrypt Suite B messaging clients send and retrieve secure messages via the API server. The API server also provides a general Cellcrypt client API for other housekeeping services.
The Vault service provides its own database (MariaDB) for storing message attachments. All file attachments are encrypted by the clients prior to uploading. The encryption key, together with the Vault attachment URI is distributed to recipients of the attachment via the Cellcrypt secure messaging service (see Cryptography section).
Enterprise Communications Service
Enterprise Communications Service (ECS) allows administrators to set up scheduled voice conferences and add users into groups. The group feature allows, not only administrators, but also users, to create communication groups. Users within groups can communicate with each other just like a Whatsapp group. Group communication features include messaging, attachments, voice notes, and normal voice conferencing.
This service provides general purpose information and configuration options for Cellcrypt client devices e.g. The latest version of the Cellcrypt client application software can be queried here.
The XMPP server provides a gateway service between standard XMPP/Jabber messaging servers and the Cellcrypt Suite B messaging service. The XMPP server interface accepts XMPP/Jabber messages from its own registered clients, or messages forwarded to its domain from specific (configured) external XMPP server. External Jabber usernames can be pre-configured on the server, or automatically added to Cellcrypt contact lists after the first message sent e.g. in the same way that Cellcrypt messaging automatically adds new contacts.
The MAP service provides secure mapping information to facilitate secure navigation and location privacy for field personnel.
The Secure Gateway (SG) provides a hub for voice mixing in voice conferences. The SG can bridge calls to a standard PBX as well as standalone SIP phones. Conferences can include a mixture of Cellcrypt users, PBX SIP/analog phones as well as standalone SIP phones.
Secure Shell Host Daemon
This Secure Shell Host Daemon (SSHD) is the standard Linux OpenSSH server which will be used to provide a command terminal for remote server administration. The SSH protocol is secured using the common CCoreV4 instance.
The audit daemon (Auditd) is a standard service on Linux providing a user-space central point for sending auditable notifications. All security and other important activities are logged using this service. Auditd is configured to provide remote audit reporting and connects to a remote audit server. The link to the remote audit server is TLS-secured using the STunnel service with CCoreV4.
Network Time Protocol Daemon
The Network Time Protocol Daemon (NTPD) is a Linux service for synchronizing the server’s local real-time clock with an online server’s real-time clock using the standard NTP protocol [Ref 14]. The link to the remote NTP server is TLS-secured using the STunnel service with CCoreV4.
ISeed Entropy gathering Utility
The ISeed utility gathers entropy using the Intel Processor’s RDSEED instruction. The RDSEED instruction provides access to a high-speed NIST SP800-90B & SP 800-90C(draft) compliant entropy source. This will ensure that the CCoreV4 DRBG always has sufficient entropy even under high network usage conditions.
Advanced Intrusion Detection Environment
The Advanced Intrusion Detection Environment (AIDE) detects and logs any changes to the file system. This service is used as a detect-and-alert system to facilitate rapid response to attempts to hack into the Cellcrypt Server. AIDE is only used to support auditing and integrity testing. The intrusion detection and prevention capabilities are excluded from the evaluation.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which Cellcrypt Server was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the EAL for the product is EAL 1. The product, when delivered configured as identified in the Cellcrypt Server Common Criteria Administrator Guide, satisfies all of the security functional requirements stated in the Cellcrypt Server Security Target. The project underwent CCEVS Validator review. The evaluation was completed in April 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
Logical Scope of the TOE
The TOE consists of several security functions that make up the logical scope of the TOE:
• Security audit
• Cryptographic support
• Data protection
• Identification and authentication
• Security management
• Protection of the TSF
• TOE access
• Trusted path/channels
All significant events occurring on the TOE e.g. warnings, errors, and particularly security-related events are logged by the TOE as audit events. The logs also include Call Detail Records (CDR’s). All events are uploaded to a remote syslog server protected by a TLS link.
All TOE cryptography is performed by the Cellcrypt CCoreV4 FIPS 140-2 validated crypto module (Certificate #A1999). The TOE cryptographic support includes functions supporting key management, encryption and decryption, random number generation, digital signatures, secure hashing and keyed secure hashing. Cryptographic protocol support includes TLS, SSH, HTTPS.
Table 2: Cryptographic Algorithms
The TOE enforces the enterprise session controller SFP on all VVoIP calls and mediates the data flow between enrolled caller and callee pairs.
Identification and Authentication
The TOE enforces role-based authorization for all administrative access. Administrators must have a user account on the TOE with an assigned administrative role and the TOE authenticates administrators by username and password and validates the administrator’s login credentials based on possession of an SSH private key. The TOE also validates X.509v3 certificate access on all TLS ports that make use of client certificates.
In addition to command line access, the TOE also provides administrators with HTTPS web portals allowing authorized access to database functionality for administrating user and device profiles. Access to the web portals is based on username and password.
Protection of the TSF
The TOE provides comprehensive protection mechanisms to prevent unauthorized modification of its software. Built-In Self-Tests (BIST) are used to validate the integrity of all files stored on the TOE’s persistent storage media and updates to the TOE software are validated using digital signatures. All file modification events are logged locally and remotely based on reliable timestamps due the use of an external NTP time source. Warning banners are used at the start of any interactive session and session inactively timers are used to terminate inactive sessions.
Before any Administrator access to the TOE is established the TOE displays a security banner with an advisory notice and consent warning message. All inactive Administrator user sessions are automatically terminated after a preconfigured period. Both Administrators and normal users can manually terminate sessions at any time requiring re-authentication to the TOE before establishing a new session.
All communication channels on the TOE are cryptographically protected and all administrative interaction is authenticated. ESC SFP is enforced on all user communications based on authorized user subscriptions.
+1 410 850 7305