Compliant Product - SecuSUITE v5.0 and SteelBox v5.0
Certificate Date: 2022.12.09CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11282-2022
Product Type: Network Encryption
Conformance Claim: Protection Profile Compliant
PP Identifier: PP-Module for Voice and Video over IP (VVoIP) Version 1.0
Functional Package for TLS Version 1.1
Protection Profile for Application Software Version 1.4
CC Testing Lab: Gossamer Security Solutions
The TOE, herein referred to as the SecuSUITE and SteelBox Client or the TOE, is a VoIP application that executes on an evaluated mobile device operating system.
The evaluated configuration is SecuSUITE v5.0 and SteelBox v5.0 installed on Android 11 or iOS 14.
The TOE user downloads the TOE from an app store (e.g. Apple Store, Google Play) or it is pushed via a Mobile Device Management (MDM) server (e.g. BlackBerry Enterprise Server) and installs the app to their mobile device. On first use of the app, the user must go through a registration process in order to register to a specified BlackBerry SecuGATE (identified by URI).
Once registered, the user can place secure VoIP calls using the app with largely the same interactions as with a normal phone call. The SecuSUITE Client provides encryption of user call signaling and voice data.
The TOE is part of the SecuSUITE Security Solution shown in Figure 1-2. The TOE does not work in isolation but relies on BlackBerry SecuGATE components to enable a secure VoIP communication.
The SecuSUITE Client establishes a secure tunnel for voice communications with another SecuSUITE/SteelBox client or the SecuGATE SIP server. The tunnel provides confidentiality, integrity, and data authentication for information that travels across the public network. This occurs using the Secure Real-Time Transport Protocol (SRTP) that has been established using the Session Description Protocol (SDP) and the Security Descriptions for Media Streams (SDES) for SDP - the TOE supports SDES-SRTP.
The TOE Client also protects communications between itself and the SIP Server by using a Transport Layer Security (TLS)-protected signaling channel. To register the TOE within the domain, the TOE is required to be password authenticated by the SIP Server. The TOE also makes use of certificates to authenticate both the SIP server end and the TOE itself through the TLS connection.
Besides the peer-to-peer calls between two instances of the TOE, the SecuSUITE/SteelBox solution also allows the set-up of a secure conference call between a group of SecuSUITE users.
Secure Text Messaging
The TOE client allows encrypted instant message transfer between client applications. Secure Text Messaging utilizes the same TLS protected communication channel that is used during initial SCA registration used to transfer client configuration settings and SIP credentials between SecuGATE and client.
Besides the peer-to-peer text messaging between two instances of the TOE, the SecuSUITE/SteelBox solution also allows the set-up of messaging groups between an arbitrary number of SecuSUITE users. The messages are individually encrypted for all TOE users participating in the group messaging session the same way peer to peer messages are protected.
Calls Destined Beyond the SecuGATE SIP server
The TOE always encrypts the user’s call signaling and data (voice) transmitted to other TOE VoIP endpoints registered with the SecuGATE and transmitted to the SecuGATE itself. The SecuGATE administrator can configure calling to additional endpoints, endpoints reached through a PBX (another SIP server connected to local/internal landline phones and potentially connected to outside phone lines). If so configured, the TOE can then place calls to additional endpoints beyond the SecuGATE through the configured PBX; however, because the call signaling and call data travels beyond the SecuGATE itself, its security ultimately lies beyond the TOE and SecuGATE SIP server’s control.
While the ability of the SecuGATE SIP server to route calls to additional endpoints through a PBX lies beyond the scope of this ASPP14/PKGTLS11/VVoIPAS10 evaluation, the TOE can indicate when a user’s call travels beyond the SecuGATE SIP server.
CACI SteelBox Client
The SteelBox Client is a branded version of the SecuSUITE client that is identical from functional and security implementation perspective. The SteelBox client is distributed by BlackBerry’s partner CACI and differs basically in the used UI assets and product publishing. The relevant deltas are:
· Different splash screens during client start-up
· Replaced UI Assets and Text elements (e.g., SteelBox logo, product name, app icon, status bar icon, EULA text and About screen).
· Changes required to distribute the client under an independent publisher/developer in the App Stores (e.g. developer signing).
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Common Criteria Configuration Guide SecuSUITE v5.0 SteelBox v5.0, Version 1.1, 05-Dec-2022 document, satisfies all of the security functional requirements stated in the SecuSUITE v5.0 and SteelBox v5.0 Security Target, Version 0.6, December 8, 2022. The project underwent CCEVS Validator review. The evaluation was completed in December 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11282-2022) prepared by CCEVS.
The logical boundaries of the SecuSUITE v5.0 and SteelBox v5.0 are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE utilizes the Opus codec by default to transmit voice media. The Opus codec utilizes a fixed bit-rate.
The TOE also includes the SILK vocoder to transmit voice media. The vocodec has been modified to pad the bit-rate in order to provide a constant bit-rate. This codec’s purpose is to provide backwards compatibility with the TOE’s previous versions, and this codec is only used if the peer VoIP client does not support the Opus codec.
The TOE includes its own cryptographic module to perform operations in support of authentication actions and network communications using the TLS and SRTP protocol. The TOE implements TLS version 1.2 with mutual authentication using elliptic-curve cryptography. The TOE also relies upon its platform for certain cryptographic operations including providing random data to seed the TOE’s own DRBG. The TOE relies upon the platform (i.e., iOS and Android) cryptographic libraries for operations related to protecting keys in platform offer storage (i.e., a key store).
User data protection:
The TOE enforces the media transmission policy when communicating with remote VVoIP endpoints which use TLS and SRTP protocols. The TOE also ensures that communication with an SCA server is protected using TLS. The TOE protects user data by utilizing platform services for data storage.
Identification and authentication:
The TOE authenticates TLS peers using X.509v3 certificates. It performs extensive X.509 certificate validation checks on these certificates rejecting invalid or revoked certificates.
The TOE receives configuration setting during its registration with an SCA server. The client allows management operations that specify the SIP Server to use for connections.
The TOE does not transmit Personally Identifiable Information over any network interfaces.
Protection of the TSF:
The TOE relies on the physical boundary of the evaluated platform as well as the Android and iOS operating systems for the protection of the TOE’s application components.
The TOE relies upon these platforms to indicate the current TOE version. If an update is needed, it is obtained from the platform’s application store. The TOE’s software is digitally signed in accordance with the requirements of each application store.
The native Apple and Android cryptographic library, which provides some of the TOE’s cryptographic services, have built-in self-tests that are run at client start-up to ensure that the algorithms are correct. If any self-tests fail, the TOE will not be able to perform its cryptographic services. The TOE includes its own cryptographic library that also includes self-tests that are run when the client starts.
The TOE includes a 15 second default timeout that can terminate idle voice/video transmission. This timeout value can be changed by the configuration obtained from the SCA server.
The TOE encrypts all data transmitted with an SCA server or Enterprise Session Controller using TLS. The TLS channel established with an ESC can be used to exchange SIP messages or to initiate the use of SRTP for voice/video traffic.