NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Fortra’s GoAnywhere Managed File Transfer v6.8

Certificate Date:  2023.04.07

Validation Report Number:  CCEVS-VR-VID11216-2023

Product Type:    Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Functional Package for TLS Version 1.1
  Protection Profile for Application Software Version 1.3
  Extended Package for Secure Shell (SSH) Version 1.0

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is the Fortra’s GoAnywhere Managed File Transfer v6.8 (MFT). The TOE is a software application that provides secure file transfer services over HTTPS, TLS, and SSH. GoAnywhere MFT is a secure managed file transfer solution that streamlines the exchange of data between systems, employees, customers, and trading partners. It provides centralized control with extensive security settings, detailed audit trails, and helps process information from files into XML, CSV, and JSON databases.


Evaluated Configuration

The TOE has been evaluated on the following host platforms:

·       CentOS 7 on ESXi 6.7 with Intel Xeon E5-4620v4 (Broadwell)

·       Windows Server 2016 on ESXi 6.7 with Intel Xeon E5-4620v4 (Broadwell)

Note: The TOE is the application software only. The host platforms are not part of the evaluation.

The TOE supports (sometimes optionally) secure connectivity with several other IT environment devices as described below.

Environment
Component

Required

Usage/Purpose Description

Web Browser

Yes

Remote administration and User file access over HTTPS/TLSv1.2.

Database Server

Yes

MySQL, PostgreSQL, MS SQL Server, Oracle, or DB2/400 for storing settings. The server must support TLSv1.2 to enable secure access by the TOE.

LDAP/AD Server

No

Remote authentication server supporting TLSv1.2.

Mail Server

No

Mail server supporting SMTP over TLSv1.2 for sending notifications.

File Server

No

Remote file server for storing user files:

·       AS2, AS4, or WebDAV servers supporting HTTPS/TLSv1.2

·       SFTP or SCP servers supporting SSHv2

·       FTP/s servers supporting TLSv1.2

·       Amazon S3 or Azure Blob Storage supporting HTTPS/TLSv1.2

·       REST, SOAP, or generic HTTPS/TLSv1.2 server

File Transfer Client

No

Client allowing users to store and retrieve files from the TOE:

·       AS2 or AS4 clients supporting HTTPS/TLSv1.2

·       SFTP or SCP clients supporting SSHv2

·       FTP/s client supporting TLSv1.2

Java Runtime Environment

Yes (on CentOS)

Platform-provided Java SE 8 Java Runtime Environment (JRE).

Note: The Windows platform does not provide a JRE, so the Windows version of the TOE includes the required JRE.

 


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Fortra’s GoAnywhere Managed File Transfer v6.8 was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5.The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5.Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1.The product, when configured as identified in the Fortra’s GoAnywhere Managed File Transfer v6.8 AGD, satisfies all of the security functional requirements stated in the Common Criteria Configuration Guide for Fortra’s GoAnywhere Managed File Transfer v6.8 Security Target. The project underwent CCEVS Validator review.The evaluation was completed in April 2023.Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

Logical Boundaries

The TOE provides the security functionality required by [SWAPP], [TLS-PKG], and [SSH-EP].

Cryptographic Support

The TOE utilizes the GoAnywhere MFT Bouncy Castle FIPS Java API cryptographic library version 1.0.2. This library implements all of the cryptographic algorithms required for SSH and TLS, drawing entropy from the platform RBG.

The cryptographic services provided by the TOE are described below:

Cryptographic Protocol

Use within the TOE

SSHv2 Client

File server transfers using SFTP or SCP

SSHv2 Server

User file transfers using SFTP or SCP

HTTPS/TLSv1.2 Client

File server transfers using AS2, AS4, WebDAV, FTP/s, Amazon S3, Azure Blob Storage, REST, SOAP, or HTTPS; Check for updates

HTTPS/TLSv1.2 Server

HTTPS Remote administration; HTTPS file access; AS2 or AS4 clients

TLSv1.2 Client

Database server; Authentication Server; Mail Server;

TLSv1.2 Server

User file transfers using FTP/s

Table 3 TOE Provided Cryptography

Each of these cryptographic algorithms have been validated for conformance to the requirements specified in their respective standards, as identified below.

SFR

Algorithm in ST

CAVP Alg.

CAVP Cert #

FCS_CKM.1

RSA schemes using cryptographic key sizes of 2048-bit or greater that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.3

RSA KeyGen (n = 2048, 3072)

C1876

ECC schemes using “NIST curves” [selection: P-256, P-384, P-521] that meet the following: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Appendix B.4

ECDSA KeyGen
ECDSA KeyVer

(Curve = P-256, P-384, P-521)

C1876

FFC Schemes using Diffie-Hellman group 14 that meet the following: RFC 3526, Section 3

NIAP Policy Letter #5, Addendum #2, states “No NIST CAVP, CCTL must perform all assurance/evaluation activities”.

Vendor Affirmed.

FCS_CKM.2

RSA-based key establishment schemes that meet the following: RSAES-PKCS1-v1_5 as specified in Section 7.2 of RFC 8017, “Public-Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1”

NIAP Policy Letter #5, Addendum #2, states “No NIST CAVP exists, must be described in TSS – See FIPS 140-2 I.G. D.4: Vendor Affirmation”.

Vendor Affirmed.

Elliptic curve-based key establishment schemes that meet the following: NIST Special Publication 800-56A Revision 2, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography”

KAS-ECC

(Curve = P-256, P-384, P-521)

C1876

Key establishment scheme using Diffie-Hellman group 14 that meets the following: RFC 3526, Section 3

NIAP Policy Letter #5, Addendum #2 does not provide any guidance for this selection.

Vendor Affirmed.

FCS_COP.1/ DataEncryption

AES used in [CBC, GCM] mode and cryptographic key sizes [128 bits, 256 bits]

AES-CBC (128-bit, 256-bit)

AES-GCM (128-bit, 256-bit)

C1876

FCS_COP.1/ SigGen

For RSA schemes: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 5.5, using PKCS #1 v2.1 Signature Schemes RSASSA-PSS and/or RSASSA-PKCS1v1_5; ISO/IEC 9796-2, Digital signature scheme 2 or Digital Signature scheme 3

RSA SigGen
RSA SigVer

(n = 2048, 3072)

C1876

For ECDSA schemes: FIPS PUB 186-4, “Digital Signature Standard (DSS)”, Section 6 and Appendix D, Implementing “NIST curves” [P-256, P-384, P-521]; ISO/IEC 14888-3, Section 6.4

ECDSA SigGen

ECDSA SigVer

(Curve = P-256, P-384, P-521)

C1876

FCS_COP.1/ Hash

[SHA-1, SHA-256, SHA-384, SHA-512] and message digest sizes [160, 256, 384, 512] bits

SHA-1

SHA2-256

SHA2-384

SHA2-512

C1876

FCS_COP.1/ KeyedHash

[HMAC-SHA-1, HMAC-SHA- 256, HMAC-Sha-384, HMAc-SHA-512] and cryptographic key sizes [256-bits, 160-bits, 384-bits, 512-bits] and message digest sizes [160, 384, 512] bits

HMAC-SHA-1

HMAC-SHA2-256

HMAC-SHA2-384

HMAC-SHA2-512

C1876

FCS_RBG_EXT.1

CTR_DRBG (AES)

Counter DRBG (AES)

C1876

Table 4 CAVP Algorithm Testing References

User Data Protection

The TOE relies on the underlying platform to encrypt sensitive data at rest.

Identification and Authentication

The TOE uses X.509v3 certificates as defined by RFC 5280 to authenticate the TLS connection to the external TLS servers. The TOE validates the X.509 certificates using the certificate path validation algorithm defined in RFC 5280.

The TOE authenticates users using a username/password combination or X.509 TLS Client Certificates.

Security Management

The TOE allows the configuration of users, file servers, file transfer services, keys and certificates, and cryptographic protocols.

Privacy

The TOE does not transmit Personally Identifiable Information (PII) over the network.

Protection of the TSF

The TOE employs several mechanisms to ensure that it is secure on the host platform. The TOE only allocates a limited amount of memory with both write and execute permission to support just-in-time compiling. The TOE supports ASLR, stack-based overflow protections, and platform security mechanisms (Windows Defender and SELinux).

The TOE is distributed as a Microsoft .EXE file (Windows) or a RPM (CentOS). The installers are signed by Fortra so their integrity can be verified by the platform.

Trusted Path/Channels

The TOE protects all data in transit using TLSv1.2 or SSHv2.

 


Vendor Information


Fortra, LLC
Mike Woessner
402-281-0815
mike.woessner@fortra.com

https://www.goanywhere.com
Site Map              Contact Us              Home