Compliant Product - SpaceX Regulus
Certificate Date: 2023.08.07CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11327-2023
Product Type: Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
PP-Module for Virtual Private Network (VPN) Gateways Version 1.1
CC Testing Lab: Acumen Security
The physical boundary of the TOE is the SpaceX Regulus chassis, which is a networked device providing connectivity to external networked entities. The TOE includes a specialized PCB board containing a Zynq Ultrascale+ ZU5 System on Chip (SoC) processor, based on Armv8-A Architecture, which executes the TOE software along with a NXP SE050F cryptographic accelerator. The TOE provides the following interfaces for management and network connectivity:
· 1x 100Mbps and 1x 10Gbps Ethernet ports for connectivity to trusted networks
· 1x 100Mbps, 1x 1Gbps, and 1x 10Gbps Ethernet ports for connectivity to untrusted networks
· UART for local serial console access
· 120VAC power input
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the SpaceX Regulus was evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation assurance level (EAL) for the product is EAL 1. The product, when delivered configured as identified in the Regulus AR, satisfies all of the security functional requirements stated in the SpaceX Regulus Security Target. The project underwent CCEVS Validator review. The evaluation was completed in August 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v2.2e or NDcPP, along with the functionality specified in the PP-Module for VPN Gateways, or MOD_VPNGW 1.1.
The TOE generates audit events for all actions specified in Table 11 below and includes the identity of the entity that caused the event (if applicable), date and time of the event, event type, and outcome. Audit records are transmitted to an external log receiver via IPsec tunnels.
The TOE implements CAVP validated cryptographic algorithms as specified in section 6.1 for asymmetric key generation, encryption/decryption, digital signatures, hashing, message authentication, and random bit generation. These algorithms are used to provide security for the SSH and IPsec connections, DRBG Operations, secure key generation and storage, digital signature operations, IPsec and SSH algorithm support, and digital signature operations.
Identification and authentication are required both for user administrative access to the device and for establishing IPSec VPN peer connections.
User-level authentication is performed at the command line and supports remote and local access with pubkey authentication and passwords for SSH over the network and password authentication only for local console access. No management functionality is granted to users prior to this authentication process and all trusted passwords and SSH keys are stored locally on the TOE. Passwords must be a minimum length of 15 characters and only ECDSA P-384 keys are supported for pubkey authentication. If a user fails to authenticate via a password, their account will be automatically locked to remote access until an administrator-configurable amount of time has passed.
Authentication with an IPSec VPN peer is first established with IKEv2 based on X.509 ECDSA certificates. Peers that attempt to authenticate using certificates that are specified via CRLs will be rejected during the key exchange process. IPSec tunnels will not be established until the IKE process has been completed successfully for the full chain of trust.
The security management functionality including access to cryptographic keys and TSF data is limited to the Security Administrator role. The TOE is managed via a remote SSH CLI and local serial CLI.
The TOE provides packet filtering and secure IPsec tunneling between the TOE and a trusted VPN endpoint.
The TOE prevents the reading of secret keys, private keys and passwords. During initial startup, the TOE runs a suite of self-tests to demonstrate correct operation of the cryptographic functionality. The TOE provides a means to verify firmware/software updates to the TOE using digital signature prior to installing those updates. The TOE provides reliable time stamps for itself.
The TOE terminates inactive remote and local sessions after an administrator configurable time-period. Sessions can also be terminated by the administrative user. The TOE also displays a configurable login banner prior to authenticating the user.
The TOE provides a trusted path for administration via SSH. Trusted channels are implemented via IPsec to VPN endpoints as well as for audit log receivers.
Space Exploration Technologies Corp
SpaceX Security Certifications Team