Compliant Product - Wickr Enterprise Server 1.30.0
Certificate Date: 2023.06.12CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11321-2023
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.4
CC Testing Lab: Leidos Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is Wickr Enterprise Server 1.30.0. The TOE is an on-premise application providing communication with Wickr Enterprise Clients.
Wickr Enterprise Server is part of a client-server distribution. The TOE is the server portion of this distribution. It interacts with Wickr Enterprise Client applications in its operational environment. Collectively, they make up the Wickr Enterprise solution.
Wickr Enterprise is an end-to-end encrypted service that provides communication services for client devices in a closed-loop, zero-trust environment.
Wickr Enterprise Server 1.30.0 is a containerized software application. The Docker container on which the TOE runs uses Amazon Linux 2 as its container image, while the underlying OS platform on which the Docker container runs (and which provides the underlying OS kernel to the container image) is Ubuntu 18.04.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme for the Protection Profile for Application Software, Version 1.4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Wickr Enterprise Server 1.30.0 Security Target. The evaluation was completed in June 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE uses NIST-validated cryptographic algorithms to secure messaging data in transit. The cryptographic functions are supplied by the host platform. Credential data is protected by a platform-provided mechanism.
User Data Protection
The TOE leverages platform functionality to secure sensitive data at rest. The TOE uses network resources provided by the underlying platform.
The TOE uses network connectivity to interact with Wickr Clients and for administrator sessions.
The TOE provides management capability for environmental components via a web interface. Administrator accounts are defined locally. Wickr Server configuration data is stored locally but is not managed through the TOE.
The TOE does not process any personally identifiable information (PII). No transmission of PII occurs that is not in direct response to user activity.
Protection of the TSF
The TOE includes measures to integrate securely with its Linux platform. The TOE does not perform explicit memory mapping, nor does it allocate any memory region with both write and execute permissions. Similarly, the TOE does not write user-modifiable data to directories that contain executable files. The TOE is compatible with its supported host OS platform when it is configured in a secure manner. The TOE includes C code compiled to enforce Address Space Layout Randomization (ASLR) and to protect against stack overflow, as well as interpreted code that enforces ASLR through its runtime environment and is not susceptible to stack-based buffer overflow attacks.
The TOE uses a well-defined set of platform APIs and third-party libraries.
The TOE provides the ability for a user to check its version. The TOE platform is used to apply updates. Updates are delivered as a container image. Updates to the TOE are digitally signed, and the signature is validated by the platform prior to installation. The TOE does not modify its own code. Removal of the application removes all executable code associated with the TOE.
The TOE uses trusted paths to secure data in transit between itself and external entities using platform-provided mechanisms. The TOE uses platform provided TLS and HTTPS for service requests, data communication, and web administration.