Compliant Product - Guardtime Federal Black Lantern® BL300 Series and BL400 with BLKSI.2.2.1-FIPS
Certificate Date: 2022.09.09CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11287-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The TOE includes the Black Lantern BL300-B2, BL300-C2, and BL400-A1 appliances, each with firmware version BLKSI.2.2.1-FIPS.
Each appliance contains an NXP T4240r2 QorIQ, 12 Dual Cores 64-bit Power Architecture (microarchitecture), 1667 MHz with SEC processor.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was judged are described in Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 5. The product, when delivered and configured as described in the guidance documentation, satisfies all of the security functional requirements stated in the Guardtime Federal Black Lantern® BL300 Series and BL400 with BLKSI.2.2.1-FIPS Security Target. The project underwent CCEVS validation team review. The evaluation was completed in July 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is able to generate audit records of security relevant events. The TOE stores audit records locally and can also be configured to send the audit records to an external syslog server over a protected communication channel. The TOE protects locally stored audit records from unauthorized modification and deletion. By default, the TOE overwrites the oldest locally stored audit records and maintains a count of the number of overwritten records if space for storing newly generated audit records is exhausted. Alternatively, the administrator can configure the TOE to drop all new records and keep a counter of the audit records dropped when the local storage is full. In addition, the TOE generates a warning to inform the administrator before the audit trail exceeds the local audit storage capacity.
The TOE includes Guardtime Federal’s Cryptographic Support Library (CSL) Direct v2.0.0 cryptographic module, which provides the following CAVP-certified cryptographic services: random bit generation; asymmetric cryptographic key pair generation; key establishment; symmetric data encryption and decryption; digital signature generation and verification; cryptographic hashing; and keyed-hash message authentication. These services support implementation of higher-level cryptographic protocols, specifically TLS and HTTPS.
Identification and Authentication
The TOE requires all users to be successfully identified and authenticated prior to accessing its security management functions and other capabilities.
The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. When a user is authenticated at the SCI, no information about the authentication data (i.e., password) is echoed to the user. Passwords can be composed of any combination of upper and lower case letters, numbers, and the following special characters: !; @; #; $; %; ^; &; *; (; ); _; ?; <; >; ,; .; ~; and |.
The TOE responds to consecutive failures to authenticate remote password-based login attempts. The TOE validates credentials in the HTTPS header of RESTful requests against a local user account and keeps a count of consecutive failed authentication attempts for each configured user. If the number of consecutive failed authentication attempts reaches the configured value for allowed failed attempts, the local account will be disabled and subject to be re-enabled by a Security Admin user. All users are subject to lockout following consecutive failed remote authentication attempts, but users with the Security Admin role can never be locked out of the SCI.
The TOE supports the use of X.509v3 certificates for TLS authentication and also supports certificate revocation checking using OCSP. The TOE will not accept a certificate if it is unable to establish a connection in order to determine the certificate’s validity.
The TOE supports local and remote security administration via the SCI and the RESTful API respectively.
The TOE supports the following two administrator roles that together provide the capabilities of the Security Administrator role as defined in CPP_ND_V2.2E - Security Admin and Network Admin.
The TOE provides the security management functions necessary to configure and administer its security capabilities. These capabilities include configuring a login access banner, configuring a local session inactivity time limit before session termination, configuring the audit function, including export of audit records to an external audit server, setting the system date and time and configuring NTP, performing firmware updates, and managing X.509 certificates.
Protection of the TSF
The TOE protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator.
The TOE provides reliable time stamps for its own use and can be configured to synchronize its time via NTP.
The TOE provides a trusted means for determining the current running version of its firmware and to update its firmware. The TOE verifies the integrity of TOE updates using a digital signature.
The TOE implements various self-tests that execute during the power-on and start up sequence, including cryptographic known answer tests that verify the correct operation of the TOE’s cryptographic functions.
The TOE will terminate local interactive sessions at the SCI after a configurable period of inactivity. The default time-out value is 300 minutes and this can be configured by a user with the Security Admin or Network Admin role.
The use of the RESTful API for remote security management means there is no concept of an interactive session for remote administrators—each request to the API is a self-contained, identified and authenticated request. As such, TSF-initiated termination of remote administrative sessions is deemed to occur immediately after the TOE services the request.
The TOE provides the capability for users to terminate their own local sessions by logging out of the TOE. For user-initiated termination of remote interactive sessions via the RESTful API, the interactive session is terminated immediately after the request is submitted to the interface.
The TOE can be configured to display an advisory and consent warning message before establishing a user session.
The TOE protects communications with remote administrators using HTTPS (for access to the REST API).
The TOE is able to protect transmission of audit records to an external audit server using TLS.