The target of evaluation (TOE) is the Global Security ToolKit (GSKit) Version 7.0.4.11. GSKit Version 7.0.4.11 is a set of tools and C/C++ programming interfaces that can be integrated in software applications to add secure channels using the SSLv3 and TLSv1 protocols. It provides the cryptographic functions, the protocol implementation, and key generation and management functionality for this purpose. The TOE is a software only component; the operating system and hardware platform are part of the TOE environment. Consumers of the TOE are software products that need to establish SSLv3 or TLSv1 secure channels and developers of such products.
\r\nThe functionality provided comprises:
\r\nFurthermore, GSKit Version 7.0.4.11 encapsulates the IBM Crypto for C (ICC) Version 1.4.5 component, which provides cryptographic functions. A large subset of the algorithms implemented in the ICC module and used by GSKit Version 7.0.4.11 has been validated according to FIPS 140-2 under the U.S. Government Cryptographic Module Validation Program.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was conducted by atsec information security corporation within the Common Criteria Evaluation and Validation Scheme (CCEVS) against the Common Criteria for Information Technology Security Evaluation (CC), CCIMB-2005-08-001, Version 2.3, August 2005, Part 1 to 3 for all assurance classes, applying the respective versions of the Common Methodology for Information Technology Security Evaluation. The evaluation demonstrated that the target of evaluation (TOE), IBM Global Security Kit (GSKit) Version 7.0.4.11 with IBM Crypto for C (ICC) 1.4.5.0, conforms to the functional and assurance claims in “IBM Global Security Kit Version 7.0.4.11 Security Target, Version 1.5” as of July 17, 2007, when operated as specified in “Global Security Kit Common Criteria Mode Operating Guidance, Version 7.0” as of May 10, 2007. The evaluation assurance level is EAL4, Part 3 conformant, Part 2 extended.
","environmental_strengths":"The purpose of GSKit Version 7.0.4.11 the TOE, is to provide a secure channel between itself and a remote IT product. The TOE is intended to be incorporated into a product (software application), which is part of the TOE environment. The TOE is a software library and as such does not offer self-protection; corresponding assumptions on the IT and operational environment are defined in the Security Target and reflected in the guidance provided to consumers. The TOE provides a secure trusted channel to protect information transmitted over SSL and TLS against loss of confidentiality and integrity, and protection of cryptographic key material permanently stored in files in the underlying operating system.
\r\nGSKit Version 7.0.4.11 is implemented by IBM for numerous operational platforms. This evaluation covers GSKit Version 7.0.4.11 on the platforms and operating systems specified in the Security Target.
\r\nThe following security functions are implemented by GSKit Version 7.0.4.11 and have been assessed as part of this evaluation:
\r\nThe TOE offers a secure channel for the confidentiality and integrity protection of data transmitted over that channel. The implemented protocols are SSLv3 and TLSv1. The secure channel functionality of the TOE is available to software applications through the TOE’s SSL API and to communication partners via a network interface provided by the IT environment. The TOE environment is responsible to limit access to the API to the users and roles in the TOE environment that are authorized to use the provided functions.
\r\nThe SSL and TLS connections support mandatory server authentication and optional (configurable as mandatory) client authentication. Total anonymity mode as defined in SSLv3 or TLSv1 (i.e., no server authentication) is not supported in the evaluated configuration.
\r\nFor authentication, X.509 certificates are used; version 1, 2, and 3 certificates are supported for root and end-user certificates. Version 3 certificates are supported for intermediate CA certificates. Optional usage of OCSP responses and/or CRL checking is supported.
\r\nThe TOE offers generation of symmetric keys, generation of asymmetric key pairs, symmetric encryption/decryption, asymmetric encryption/decryption, generation/verification of digital signatures, data authentication, secure message digest algorithms, and random number generation. The majority of the implemented cryptographic algorithms are FIPS-approved, and the majority of implementations have been FIPS 140-2 validated. Detailed information is provided in the Security Target.
\r\nGSKit Version 7.0.4.11 offers self-tests for the ICC component: some of ICC’s cryptographic functions and the integrity of ICC can be tested. The self-tests have been analyzed as part of the FIPS 140-2 level 1 [FIPS140-2] validation. GSKit Version 7.0.4.11 provides the preservation of a secure state in case of SSL/TLS communication errors.
\r\nGSKit Version 7.0.4.11 provides a local command line interface and an API for key generation and management of asymmetric key pairs, as well as generation, request, request handling, and management of certificates. The import and export of private keys and public key certificates based on PKCS#12-formatted files is supported. Confidentiality and integrity of permanent key data is provided for by cryptographic means and a TOE-generated password.
\r\nThe password mechanism employed by the TOE meets the strength of mechanism requirements for SOF high. The strength of cryptographic algorithms has not been rated as part of this evaluation.
","features":[]}