The TOE is a client/server application that provides secure access from client workstations to host mainframe system applications through the Persona server. Additionally, the Persona Server provides terminal emulation between the client workstation and the host mainframe system. The TOE employs a level of DES key encryption for data security that includes DES as well as 3DES. Persona enables high-level security encoding capabilities, including SSL, SSH, DES, and Triple DES (3DES) to safeguard display and report data transmitted between one or more Persona client workstations through the Persona server to a host mainframe system computer.
\r\nThe TOE is composed entirely of software and requires a physically dedicated protected web server running Windows 2000 or Windows XP Professional on which the Persona server is installed.
\r\nThe TOE resides within the Application layer of the OSI network model. The TOE adds an extra layer of protection by using the SSL (Secure Socket Layer) or the Secure Shell (SSH) protocols when it sends or receives information from a host mainframe system and the SSL protocol when the TOE sends or receives information from a client. The TOE uses cryptography to establish a secure session between the Persona server and one or more Persona clients. It also The TOE enforces Information Flow Control and Cryptographic Support functions by using SSL utilizing DES or 3DES to encrypt all information sent between the client and the server and SSL or SSH utilizing DES or 3DES to encrypt all information sent between the server and the host. Additionally, the communication between the client and the server is considered a trusted channel and between the server and the host is considered a trusted path.
\r\nAdministrators are the only users known to the TOE. The TOE enforces an Identification and Authentication function by requiring administrator users to enter the correct administrative name and password.
\r\nThe TOE enforces a Security Management function by allowing authenticated users to perform administrative functions such as disconnecting a session.
\r\nThe TOE Security Functions (TSF) are protected by the Persona Server only allowing a Persona Client the ability to connect to a host. PKI Technology is used for client to server connection. Once the connection is established, the TSF ensures that all communication between the client and the host is encrypted. The TSF is also protected by the environment ensuring that all information from a client to a host or a host to a client goes through the Persona Server.
","evaluation_configuration":null,"security_evaluation_summary":"For this evaluation, it was appropriate for the Security Target to claim compliance with the external standards for DES and 3 DES for the definition of the encryption algorithms. There are many ways of determining compliance with a standard. Esker has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.
\r\nThe evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that Persona 5.0 meets the security requirements contained in the Security Target. The criteria against which Persona 5.0 was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and National and International Interpretations effective May 2002. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the Persona TOE is EAL 3. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in December 2002. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for Persona 5.0 prepared by CCEVS.
","environmental_strengths":"Persona 5.0 is a commercial product that provides cryptography, information flow control, identification and authentication, security management, and protection of its security functions. Persona 5.0 provides secure access to information allowing information to be available yet protected. Persona 5.0 provides a level of protection that is appropriate for IT environments where the Persona Server can be protected from physical attacks and the attack potential is moderate.
","features":[]}