DOCSLIB.ORG

Sandisk Cruzer Enterprise FIPS Edition Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Sandisk Cruzer Enterprise FIPS Edition Security Target SanDisk Cruzer Enterprise FIPS edition Security Target EAL2 Augmented with ALC_FLR.1 Version 1.1 September 24, 2009 SanDisk Cruzer Enterprise FIPS edition Security Target Document History Version Date Author Description 1.0 03-Aug-09 Jussipekka Leiwo Final version. 1.1 24-Sep-09 Ken Hendrie Minor grammatical changes September 24, 2009 Page 2 of 53 SanDisk Cruzer Enterprise FIPS edition Security Target Table of Contents 1 Document Introduction................................................................................................................6 1.1 Document conventions ..........................................................................................................6 1.2 Terminology ...........................................................................................................................6 1.3 References.............................................................................................................................8 1.4 Document organization..........................................................................................................8 2 ST Introduction.............................................................................................................................9 2.1 ST Reference.........................................................................................................................9 2.2 TOE Reference......................................................................................................................9 2.3 TOE Overview .......................................................................................................................9 2.3.1 Usage and major security features of the TOE .................................................................9 2.3.2 TOE Type ........................................................................................................................11 2.3.3 Hardware, software and firmware required by the TOE..................................................12 2.4 TOE Description ..................................................................................................................12 2.4.1 Physical scope of the TOE ..............................................................................................12 2.4.2 Logical scope of the TOE ................................................................................................13 3 Conformance Claims .................................................................................................................15 4 Security Problem Definition ......................................................................................................15 4.1 Threats.................................................................................................................................16 4.2 Organizational security policies ...........................................................................................18 4.3 Assumptions ........................................................................................................................18 5 Security Objectives ....................................................................................................................19 5.1 Security objectives for the TOE ...........................................................................................19 5.2 Security objectives for the environment...............................................................................19 5.2.1 Security objectives for the IT environment ......................................................................19 5.2.2 Security objectives for the non-IT environment...............................................................20 6 Extended components definition..............................................................................................20 7 IT Security Requirements ..........................................................................................................20 7.1 Overview..............................................................................................................................20 7.2 TOE Security Functional Requirements ..............................................................................20 7.2.1 Cryptographic support .....................................................................................................23 7.2.2 User data protection ........................................................................................................25 7.2.3 Identification and authentication......................................................................................30 7.2.4 Security Management .....................................................................................................31 7.2.5 Protection of the TSF ......................................................................................................34 7.2.6 Trusted Paths/Channels..................................................................................................36 7.3 TOE Security Assurance Requirements..............................................................................37 8 TOE Summary Specification .....................................................................................................38 8.1 Overview..............................................................................................................................38 8.2 Security Functions ...............................................................................................................39 8.2.1 User Data Protection .......................................................................................................39 8.2.2 Protection of the TOE......................................................................................................40 8.2.3 Management and access by external devices ................................................................41 8.2.4 Security management .....................................................................................................41 8.2.5 Firmware upgrading ........................................................................................................41 9 Rationale .....................................................................................................................................42 9.1 Conformance claim rationale...............................................................................................42 9.2 Security objectives rationale................................................................................................42 9.2.1 Security objectives for the TOE.......................................................................................42 September 24, 2009 Page 3 of 53 SanDisk Cruzer Enterprise FIPS edition Security Target 9.2.2 Security objectives for the environment ..........................................................................46 9.3 Security requirements rationale...........................................................................................48 9.3.1 SFR dependency rationale..............................................................................................48 9.3.2 Tracing of SFR to security objectives..............................................................................51 9.3.3 SAR justification ..............................................................................................................53 September 24, 2009 Page 4 of 53 SanDisk Cruzer Enterprise FIPS edition Security Target List of Tables Table 1 – Terminology ............................................................................................................................6 Table 2 – ST identification information....................................................................................................9 Table 3 – TOE identification information.................................................................................................9 Table 4 – TOE Security features and characteristics ...........................................................................10 Table 5 – Assets protected by the TOE ................................................................................................15 Table 6 – Subjects relevant to the TOE ................................................................................................15 Table 7 – Threat statements .................................................................................................................16 Table 8 – Organizational Security Policies ...........................................................................................18 Table 9 – Security objectives for the TOE ............................................................................................19 Table 10 – Security objectives for the IT environment..........................................................................19 Table 11 – Summary of TOE Security Functional Requirements.........................................................20 Table 12 – Summary of TOE security assurance requirements...........................................................38 Table 13 – Mapping of TOE security objectives to threats ...................................................................42 Table 14 – Mapping of security objectives for the environment to threats and OSPs..........................46 Table 15 – TOE SFR dependency demonstration................................................................................48 Table 16 – Mapping
Load more

Recommended publications
  • Sandisk Cruzer Ent.Indd
    Cruzer Enterprise Secure Enterprise-Grade Portable Storage USB Flash drives have transformed from consumer Works in Harmony With Your gadgets into must-have productivity tools used Existing IT Infrastructure by business professionals everywhere. However, most portable storage devices used in the Cruzer Enterprise helps make the introduction of corporate environment are privately owned and secure, personal storage a simple and seamless lack the security and control measures required process. Cruzer Enterprise requires very little effort by organizations. This exposes organizations to to deploy or support, since it requires no installation tremendous risks and liabilities when a device of dedicated drivers and no administrative rights containing sensitive information is lost or stolen. to operate. That means business professionals can Data loss can potentially lead to damaging results, easily and effectively take their data beyond the such as expensive customer notifi cations, a corporate network to personal home computers, compromised company image, and failure to meet customer sites, and hotel business centers regulatory requirements. — ensuring anytime, anywhere access to critical business information. Secure Portable Storage — Strong and Simple Cruzer Enterprise has also been rigorously tested with leading solutions which enforce policies on the Cruzer® Enterprise USB drives are specifi cally usage of removable devices. This allows for Cruzer designed to meet the unique security, compliance, Enterprise to work seamlessly, without having to and manageability needs of enterprise-size compromise endpoint security. businesses. It does not rely upon users to decide which fi les to secure. Instead it requires mandatory access control for all fi les, storing them in an encrypted, password-protected partition.
    [Show full text]
  • Cyberpro December 4, 2008
    Volume 1, Edition 15 CyberPro December 4, 2008 Keeping Cyberspace Professionals Informed Officers The articles and information appearing herein are intended for President educational purposes to promote discussion in the public interest and to Larry K. McKee, Jr. keep subscribers who are involved in the development of Cyber-related concepts and initiatives informed on items of common interest. The Senior Analyst newsletter and the information contained therein are not intended to Jim Ed Crouch provide a competitive advantage for any commercial firm. Any ------------------------------ misuse or unauthorized use of the newsletter and its contents will result CyberPro Research in removal from the distribution list and/or possible administrative, civil, Analyst and/or criminal action. Kathryn Stephens The views, opinions, and/or findings and recommendations contained in this summary are those of the authors and should not be construed as an official position, policy, or decision of the United States Government, CyberPro Archive U.S. Department of Defense, or National Security Cyberspace Institute. To subscribe or unsubscribe to this newsletter click here CyberPro News Subscription. Please contact Larry McKee , ph. (757) 871-3578, regarding CyberPro subscription, sponsorship, and/or advertisement. All rights reserved. CyberPro may not be published, broadcast, rewritten or redistributed without prior NSCI consent. 110 Royal Aberdeen Smithfield, VA 23430 ph. (757) 871 - 3578 CyberPro National Security Cyberspace Institute P a g e | 1 Volume
    [Show full text]
  • Security Analysis of USB Drive Student: Bc
    ASSIGNMENT OF MASTER’S THESIS Title: Security analysis of USB drive Student: Bc. David Jagoš Supervisor: Ing. Jiří Buček, Ph.D. Study Programme: Informatics Study Branch: Design and Programming of Embedded Systems Department: Department of Digital Design Validity: Until the end of winter semester 2019/20 Instructions Research existing vulnerabilities of encrypted USB drives. Perform a security analysis of Kingston DataTraveler Vault Privacy encrypted flash drive. Try to find its vulnerabilities in order to extract stored data without knowledge of the password. - Analyze the internal structure of the flash drive. - Analyze the client software supplied with the flash drive. - Analyze and document undocumented APIs. - Perform experiments in order to analyze the dependency of the encryption key on the password. Evaluate the results and discuss potential impact of your findings. References Will be provided by the supervisor. doc. Ing. Hana Kubátová, CSc. doc. RNDr. Ing. Marcel Jiřina, Ph.D. Head of Department Dean Prague February 23, 2018 Master’s thesis Security analysis of USB drive Bc. David Jagoˇs Department of Digital Design Supervisor: Ing. Jiˇr´ıBuˇcek January 10, 2019 Acknowledgements I’d like to thank my supervisor, Ing. Jiˇr´ıBuˇcek,for his counsel and immense patience. Declaration I hereby declare that the presented thesis is my own work and that I have cited all sources of information in accordance with the Guideline for adhering to ethical principles when elaborating an academic final thesis. I acknowledge that my thesis is subject to the rights and obligations stip- ulated by the Act No. 121/2000 Coll., the Copyright Act, as amended, in particular that the Czech Technical University in Prague has the right to con- clude a license agreement on the utilization of this thesis as school work under the provisions of Article 60(1) of the Act.
    [Show full text]
  • Encryption Made Simple for Lawyers
    Encryption Made Simple for Lawyers By David G. Ries, Esq. and John W. Simek Encryption is a topic that most attorneys don’t want to touch with a 10-foot pole, but it is becoming a more and more important part of security. Encryption is an electronic process to protect data. It has now reached the point where all attorneys should generally understand encryption, have it available for use when appropriate, and make informed decisions about when encryption should be used and when it is acceptable to avoid it. Fortunately, easy to use options are available today for encryption. Most attorneys will need technical assistance to install and set up encryption, but it’s generally easy from there. Encryption uses a formula to transform readable data into unreadable data. The formula is an algorithm (called a cipher), the readable data is called plaintext, and the unreadable data is called ciphertext. Decryption is the reverse process that uses a key to transform the encrypted data back to readable data. As long as the decryption key is protected, the data is unreadable and secure. While the technical details of how encryption works are complex, it is not necessary for attorneys who use encryption to understand them. Encryption can be used to protect data at rest (on desktops, laptops, servers or portable media) and data in motion (over wired or wireless networks and the Internet). Anyone who has access to encrypted data cannot read or use it unless they have access to the decryption key. Attorneys have ethical and legal duties to protect information relating to clients.
    [Show full text]
  • USB Flash Drive - Wikipedia, the Free Encyclopedia
    USB flash drive - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/USB_flash_drive USB flash drive From Wikipedia, the free encyclopedia A USB flash drive consists of a flash memory data storage device integrated with a USB (Universal Serial Bus) USB Flash Drive interface. USB flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 g (1 oz).[1] Storage capacities in 2010 can be as large as 256 GB[2] with steady improvements in size and price per capacity expected. Some allow 1 million write or erase cycles[citation needed] and offer a 10-year[citation needed]shelf storage time.[3][4] USB flash drives are often used for the same purposes for which floppy disks or CD-ROMs were used. They are smaller, faster, have thousands of times more capacity, and are more durable and reliable because of their lack of moving parts. Until approximately 2005, most desktop and laptop computers were supplied with floppy disk drives, but floppy disk drives have been abandoned in favor of USB ports. USB Flash drives use the USB mass storage standard, supported natively by modern operating systems such as SanDisk Cruzer Micro is a brand of USB flash drives Linux, Mac OS X, Windows, and other Unix-like systems. USB drives with USB 2.0 support can store more data and transfer faster than a much larger optical disc drives like CD-RW or DVD-RW drives and can be read by many other systems such as the Xbox 360, PlayStation 3, DVD players and in some upcoming mobile smartphones.
    [Show full text]
  • USB Flash Drive - Wikipedia, the Free Encyclopedia
    USB flash drive - Wikipedia, the free encyclopedia http://en.wikipedia.org/wiki/USB_flash_drive USB flash drive From Wikipedia, the free encyclopedia A USB flash drive is a data storage device that includes flash memory with an integrated Universal Serial Bus (USB) interface. USB flash drives are typically removable and rewritable, and physically much smaller than a floppy disk. Most weigh less than 30 grams (1.1 oz). [1] As of September 2011, drives of up to 256 gigabytes (GB) are available. [2] A one-terabyte (TB) drive was unveiled at the 2013 Consumer Electronics Show and will be available during 2013. [3] Storage capacities as large as 2 TB are planned, with steady SanDisk Cruzer Micro, a brand of [4] improvements in size and price per capacity expected. Some allow USB flash drives up to 100,000 write/erase cycles, depending on the exact type of memory chip used, and a 10-year shelf storage time.[5][6][7] USB flash drives are often used for the same purposes for which floppy disks or CD-ROMs were used, i.e., for storage, back-up and transfer of computer files. They are smaller, faster, have thousands of times more capacity, and are more durable and reliable because they have no moving parts. Until about 2005, most desktop and laptop computers were supplied with floppy disk drives in addition to USB A Kingston card reader which accepts ports, but floppy disk drives have been abandoned due to their age Micro SD memory cards (Transcend and due to USB flash drives' growing popularity.
    [Show full text]
  • Towards a Verified Complex Protocol Stack in a Production Kernel: Methodology and Demonstration
    Dartmouth College Dartmouth Digital Commons Dartmouth College Ph.D Dissertations Theses and Dissertations 5-1-2016 Towards A Verified Complex Protocol Stack in a Production Kernel: Methodology and Demonstration Peter C. Johnson Dartmouth College Follow this and additional works at: https://digitalcommons.dartmouth.edu/dissertations Part of the Computer Sciences Commons Recommended Citation Johnson, Peter C., "Towards A Verified Complex Protocol Stack in a Production Kernel: Methodology and Demonstration" (2016). Dartmouth College Ph.D Dissertations. 51. https://digitalcommons.dartmouth.edu/dissertations/51 This Thesis (Ph.D.) is brought to you for free and open access by the Theses and Dissertations at Dartmouth Digital Commons. It has been accepted for inclusion in Dartmouth College Ph.D Dissertations by an authorized administrator of Dartmouth Digital Commons. For more information, please contact [email protected]. TOWARDS A VERIFIED COMPLEX PROTOCOL STACK IN A PRODUCTION KERNEL: METHODOLOGY AND DEMONSTRATION A Thesis Submitted to the Faculty in partial fulfillment of the requirements for the degree of Doctor of Philosophy in Computer Science by Peter C. Johnson DARTMOUTH COLLEGE Hanover, New Hampshire May, 2016 Dartmouth Computer Science Technical Report TR2016-803 Examining Committee: (chair) Sean W. Smith, Ph.D. (co-chair) Sergey Bratus, Ph.D. David F. Kotz, Ph.D. Devin Balkcom, Ph.D. M. Douglas McIlroy, Ph.D. Trent Jaeger, Ph.D. F. Jon Kull, Ph.D. Dean of Graduate Studies ABSTRACT Any useful computer system performs communication and any communication must be parsed before it is computed upon. Given their importance, one might expect parsers to receive a significant share of attention from the security community.
    [Show full text]
  • Cruzer® Enterprise USB Flash Drive with Mandatory Security
    Cruzer® Enterprise USB Flash Drive with Mandatory Security USB flash drives have been transformed from consumer gadgets into must-have productivity tools used by business people everywhere. However, most drives are privately owned and lack the mandatory security and control measures that organizations require. This exposes organizations to tremendous risks when a drive containing sensitive information is lost or stolen, potentially resulting in expensive customer notifications, a compromised company image, or failure to meet regulatory requirements. SanDisk® Cruzer® Enterprise USB flash drive imposes mandatory, hardware-based encryption on all files, protecting mobile data both within and outside the corporate environment. Secure and Manage Enterprise Data, Everywhere Cruzer® Enterprise helps IT professionals more effectively protect information on company-issued USB flash drives. It is specifically designed to meet the unique security, compliance and manageability needs of enterprises. Rather than rely upon users to secure files, it imposes mandatory access control on all files, storing them in a hardware- encrypted, password-protected partition. This secures all stored data in the event of drive loss or theft. Cruzer Enterprise features ultra-fast transfer speeds and a simple user interface, all in a plug-and-play device. Central Management and Control (CMC) client/server software can manage the complete life cycle of Cruzer Product Highlights Enterprise drives, from initial user-deployment, through password administration and data backup, and finally to drive termination if lost or stolen. • Applies powerful, hardware-based encryption • Imposes mandatory security on all files Compatible with Existing IT Infrastructure • Facilitates regulatory compliance • Centrally manageable (using SanDisk CMC Cruzer Enterprise helps make the introduction of secure, software, sold separately) USB flash drives a simple and seamless process.
    [Show full text]
  • Australasian Information Security Evaluation Program
    Australasian Information Security Evaluation Program Certification Report Certificate Number: 2009/60 28 September 2009 Version 1.0 Commonwealth of Australia 2009. Reproduction is authorised provided that the report is copied in its entirety. 28 September 2009 Version 1.0 Page i Amendment Record Version Date Description 1.0 28/09/2009 Public release. 28 September 2009 Version 1.0 Page ii Executive Summary 1 SanDisk’s Cruzer Enterprise FIPS Edition is an encrypted USB storage device used for securely storing files on the FLASH memory of the device. The Cruzer Enterprise FIPS Edition is the Target of Evaluation (TOE), noting that the physical scope of the evaluation includes only the USB device circuit board. While the TOE interface to Central Management and Control (CMC) software was included in the evaluation, the CMC software itself was not evaluated. 2 The evaluated functionality of the TOE was: a) Cryptography. The TOE generates 256-bit AES keys which do not leave the token. The TOE uses SHA-1 for password verification, AES key generation and storing the reference authentication data in an irreversible way. It also performs verification of 1024-bit RSA digital signatures to establish a secure channel with CMC software to verify the authenticity of firmware upgrades. b) Protection of secrets. The TOE preserves the integrity and confidentiality of cryptographic keys and reference authentication data by providing physical and logical protection from unauthorised modification or disclosure. c) Authentication and access control. The TOE requires the user of the host PC to be authenticated prior to accessing encrypted data stored on the TOE.
    [Show full text]
  • Good Practice in Information Handling: Data Encryption
    Good practice in information handling: Data encryption Good practice in information handling: Data encryption For staff and contractors tasked with implementing data security This document is one of a series of good practice guides to help schools, colleges and universities protect personal and sensitive data. Building on good practice from industry and central government these guides describe procedures and possible technical and operational solutions that can help organisations reduce the risks of data security incidents and comply with current legislation. Produced by Becta on behalf of the Department for Children, Schools and Families, these guides have been reviewed and updated with feedback from a number of cross-sector organisations including DCSF, DIUS, JISC Legal, The Information Authority and JANET(UK), as well as from schools, local authorities, RBCs and suppliers. For further information on these guides, please see http://www.becta.org.uk/schools/datasecurity and http://www.becta.org.uk/feandskills/datasecurity. Version 2, March 2009 http://www.becta.org.uk page 1 of 25 © Becta 2009 NOT PROTECTIVELY MARKED Becta | Good practice in information handling: Data encryption Contents 1 What should organisations do?........................................................................ 4 2 Encrypting devices and media.......................................................................... 5 2.1 What needs to be encrypted?...................................................................... 5 3 An overview of encryption solutions...............................................................
    [Show full text]
  • Mega Security Update & CES Observations
    Security Now! Transcript of Episode #231 Page 1 of 47 Transcript of Episode #231 Mega Security Update & CES Observations Description: Leo and Steve catch up on two busy weeks of security news with a "mega security news update" ... and Steve, who watched Leo's streaming video coverage of CES, weighs in with his own discoveries and findings from the big annual consumer electronics fest. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-231.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-231-lq.mp3 Leo Laporte: This is Security Now! with Steve Gibson, Episode 231 for January 14, 2010: The Security Omnibus and CES Update. It's time for Security Now!, Episode 231 in a continuing saga of pain, sorrow, and insecurity. Here's the man protecting us from it all, Mr. Steve Gibson of GRC.com. Hi, Steve. Steve Gibson: Just what everyone wants. Leo: Tune in for the... Steve: A chronology of pain, sorrow, and misery. Leo: Yeah, it's a real uplifting show. Actually, it is, believe it or not, it is an uplifting show because one of the things you get out of it is a sense of what you can do, what's really going on. So I think that that's not an unreasonable description. It's just not sad. Steve: Well, it's funny because when I was killing some time before we started, before we got online, I went over into the chatroom. And my handle there is Steve Gibson.
    [Show full text]
  • Cruzer Enterprise
    Cruzer Enterprise Product Specifications Revision 1.0 Document No. PSP-CRE-0507-11 May, 2007 SanDisk Corporation Corporate Headquarters • 601 McCarthy Blvd. • Milpitas, CA 95035 Phone (408) 801-1000 • Fax (408) 801-8657 www.sandisk.com Cruzer Enterprise Product Specifications Revision 1.0 Table of Contents 1. Scope ................................................................................................................................................ 3 2. Product Overview............................................................................................................................. 3 2.1 Product Architecture ..................................................................................................................... 3 2.2 Data Security................................................................................................................................. 4 2.2.1 Access Control - Maximum Number of Attempts (Max NOA) .................................................... 4 2.2.2 Encryption Algorithms.................................................................................................................. 4 2.3 System Requirements.................................................................................................................... 5 2.4 Product Warranty .......................................................................................................................... 5 3. Product Specifications.....................................................................................................................
    [Show full text]