DOCSLIB.ORG

Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Security Target Micro Focus Data Protector Premium Edition, 2020.05 (A.10.70) Security Target Version 1.0 6 May 2020 Prepared for: Micro Focus LLC 4555 Great America Parkway Santa Clara, CA 95054 Prepared by: Accredited Testing and Evaluation Labs 6841 Benjamin Franklin Drive Columbia, MD 21046 TABLE OF CONTENTS 1. INTRODUCTION ............................................................................................................................................... 1 1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION ........................................................................................ 1 1.2 CONFORMANCE CLAIMS ................................................................................................................................. 1 1.3 CONVENTIONS ................................................................................................................................................ 2 1.4 GLOSSARY ...................................................................................................................................................... 3 1.5 ABBREVIATIONS AND ACRONYMS .................................................................................................................. 3 2. TOE DESCRIPTION .......................................................................................................................................... 5 2.1 TOE OVERVIEW ............................................................................................................................................. 5 2.2 TOE ARCHITECTURE ...................................................................................................................................... 5 2.2.1 Physical Boundaries .............................................................................................................................. 7 2.2.2 Logical Boundaries ................................................................................................................................ 7 2.3 UNEVALUATED AND EXCLUDED FUNCTIONALITY .......................................................................................... 8 2.4 TOE DOCUMENTATION .................................................................................................................................. 9 3. SECURITY PROBLEM DEFINITION .......................................................................................................... 10 3.1 THREATS ...................................................................................................................................................... 10 3.2 ASSUMPTIONS .............................................................................................................................................. 10 4. SECURITY OBJECTIVES .............................................................................................................................. 11 4.1 SECURITY OBJECTIVES FOR THE TOE ........................................................................................................... 11 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ........................................................................................... 11 5. IT SECURITY REQUIREMENTS .................................................................................................................. 12 5.1 EXTENDED REQUIREMENTS .......................................................................................................................... 12 5.2 TOE SECURITY FUNCTIONAL REQUIREMENTS ............................................................................................. 13 5.2.1 Cryptographic Support (FCS).............................................................................................................. 14 5.2.2 User Data Protection (FDP) ............................................................................................................... 17 5.2.3 Identification and Authentication (FIA) ............................................................................................... 17 5.2.4 Security Management (FMT) ............................................................................................................... 18 5.2.5 Privacy (FPR) ...................................................................................................................................... 18 5.2.6 Protection of the TSF (FPT) ................................................................................................................ 18 5.2.7 Trusted Path/Channels (FTP) .............................................................................................................. 19 5.3 TOE SECURITY ASSURANCE REQUIREMENTS ............................................................................................... 20 6. TOE SUMMARY SPECIFICATION .............................................................................................................. 21 6.1 TIMELY SECURITY UPDATES ........................................................................................................................ 21 6.2 CRYPTOGRAPHIC SUPPORT ........................................................................................................................... 21 6.2.1 Random Bit Generation ....................................................................................................................... 21 6.2.2 Cryptographic Key Management ......................................................................................................... 22 6.2.3 Cryptographic Operations ................................................................................................................... 22 6.2.4 Cryptographic Protocols ..................................................................................................................... 23 6.2.5 Credential Storage ............................................................................................................................... 24 6.3 USER DATA PROTECTION ............................................................................................................................. 24 6.4 IDENTIFICATION AND AUTHENTICATION ...................................................................................................... 25 6.4.1 Certificate Authentication .................................................................................................................... 25 6.4.2 Certificate Validation .......................................................................................................................... 25 6.5 SECURITY MANAGEMENT ............................................................................................................................. 26 6.5.1 Secure by Default Configuration ......................................................................................................... 26 6.5.2 Supported Configuration Mechanism .................................................................................................. 27 6.5.3 Specification of Management Functions .............................................................................................. 27 6.6 PRIVACY ....................................................................................................................................................... 27 Page i of ii 6.7 PROTECTION OF THE TSF ............................................................................................................................. 27 6.7.1 Anti-Exploitation Capabilities ............................................................................................................. 27 6.7.2 Supported APIs and Third-Party Libraries ......................................................................................... 28 6.7.3 Software Identification and Versioning ............................................................................................... 28 6.7.4 Trusted Update .................................................................................................................................... 28 6.8 TRUSTED PATH/CHANNELS .......................................................................................................................... 28 7. PROTECTION PROFILE CLAIMS ............................................................................................................... 29 8. RATIONALE ..................................................................................................................................................... 30 8.1 TOE SUMMARY SPECIFICATION RATIONALE ................................................................................................ 30 LIST OF TABLES Table 1 TOE Security Functional Components ...................................................................................................... 14 Table 2 Assurance Components ............................................................................................................................... 20 Table 3 Cryptographic Functions ............................................................................................................................ 23 Table 4 Security Functions vs. Requirements Mapping ......................................................................................... 31 Page ii of ii 1. Introduction This section introduces the Target of Evaluation (TOE) and describes its general functionality, and provides the Security Target (ST) and TOE identification, ST and TOE conformance claims,
Load more

Recommended publications
  • Rhetorical Code Studies Revised Pages
    Revised Pages rhetorical code studies Revised Pages Sweetland Digital rhetoric collaborative Series Editors: Anne Ruggles Gere, University of Michigan Naomi Silver, University of Michigan The Sweetland Digital Rhetoric Collaborative Book Series publishes texts that investigate the multiliteracies of digitally mediated spaces both within academia as well as other contexts. Rhetorical Code Studies: Discovering Arguments in and around Code Kevin Brock Developing Writers in Higher Education: A Longitudinal Study Anne Ruggles Gere, Editor Sites of Translation: What Multilinguals Can Teach Us about Digital Writing and Rhetoric Laura Gonzales Rhizcomics: Rhetoric, Technology, and New Media Composition Jason Helms Making Space: Writing, Instruction, Infrastrucure, and Multiliteracies James P. Purdy and Dànielle Nicole DeVoss, Editors Digital Samaritans: Rhetorical Delivery and Engagement in the Digital Humanities Jim Ridolfo diGitalculturebooks, an imprint of the University of Michigan Press, is dedicated to publishing work in new media studies and the emerging field of digital humanities. Revised Pages Rhetorical Code Studies discovering arguments in and around code Kevin Brock University of Michigan Press ann arbor Revised Pages Copyright © 2019 by Kevin Brock Some rights reserved This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License. Note to users: A Creative Commons license is only valid when it is applied by the person or entity that holds rights to the licensed work. Works may contain components (e.g., photo- graphs, illustrations, or quotations) to which the rightsholder in the work cannot apply the license. It is ultimately your responsibility to independently evaluate the copyright status of any work or component part of a work you use, in light of your intended use.
    [Show full text]
  • Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140
    Medtronic Care Management Services, LLC CC FM TLS/SRTP FIPS 140‐2 Cryptographic Module Non‐Proprietary Security Policy Version: 1.6 Date: March 16, 2016 Copyright Medtronic Care Management Services 2016 Version 1.6 Page 1 of 14 Medtronic Care Management Services Public Material – May be reproduced only in its original entirety (without revision). Table of Contents 1 Introduction .................................................................................................................... 4 1.1 Cryptographic Boundary ..............................................................................................................5 1.2 Mode of Operation .......................................................................................................................5 2 Cryptographic Functionality ............................................................................................. 6 2.1 Critical Security Parameters .........................................................................................................7 2.2 Public Keys ....................................................................................................................................8 3 Roles, Authentication and Services .................................................................................. 8 3.1 Assumption of Roles .....................................................................................................................8 3.2 Services and CSP Access Rights ....................................................................................................8
    [Show full text]
  • Travstar1 V10.01.02-XXXX XXX
    Travstar1 v10.01.02-XXXX_XXX Fiscal Systems, Inc. 4946 Research Drive Huntsville, AL 35805 Office: (256) 772-8920 Help Desk: (800) 838-4549, Option 3 www.fis-cal.com Document Version History Version Description Approved Date 1.0 Initial Release for Version 9.00 KDS 15 JUL 09 1.1 Changed Patch and Update Instructions KDS 11 NOV 09 Annual Review 1.2 KDS 22 APR 10 Corrected Typographical Errors 1.3 Annual Review KDS 12 JUL 11 Annual Review Verified reference web links are valid 1.4 KDS 10 AUG 12 Updated web link on qualified QSAs Updated web link for PCI wireless guidelines Annual Review 12 JUN 13 1.5 Verified reference web links are valid KDS Added Log Review Instructions Annual Review 1.6 KDS 16 JUN 14 Verified reference web links are valid Annual Review Verified reference web links are valid 1.7 Updated Business Address NBJ 30 MAR 15 Updated Secure Access Control Added detailed Log Review Setup Instructions 1.8 Added Software Versioning Methodology NBJ 14 OCT 15 Added Required Ports/Services 1.9 Modified Log review Setup Instructions NBJ 19 OCT 15 Added Centralized Logging Updated Required Ports/Services 2.0 Updated Secure Remote Updates NBJ 02 FEB 16 Updated Auditing and Centralized Logging 2.1 Updated Software Versioning Methodology NBJ 17 Feb 16 Full Certification 2.2 BTH 5 May 17 Updated Software Versioning Methodology Updated Introduction Updated Remote Access to “Multi-factor” 2.3 Revised Version number BTH 22 JUN 17 Updated “Travstar1 POS” to just “Travstar1 ” for clarity. Minor wording changes throughout for clarity Adjusted Wording of PCI-DSS requirements to match PCI-DSS 3.2 Updated network connections to clearly define 2.4 BTH 02 AUG 17 every connection Updated references to stored cardholder data to state that it is only stored during preauthorization.
    [Show full text]
  • No Random, No Ransom: a Key to Stop Cryptographic Ransomware
    No Random, No Ransom: A Key to Stop Cryptographic Ransomware Ziya Alper Genç, Gabriele Lenzini, and Peter Y.A. Ryan Interdisciplinary Centre for Security Reliability and Trust (SnT) University of Luxembourg Abstract. To be effective, ransomware has to implement strong encryp- tion, and strong encryption in turn requires a good source of random numbers. Without access to true randomness, ransomware relies on the pseudo random number generators that modern Operating Systems make available to applications. With this insight, we propose a strategy to miti- gate ransomware attacks that considers pseudo random number generator functions as critical resources, controls accesses on their APIs and stops unauthorized applications that call them. Our strategy, tested against 524 active real-world ransomware samples, stops 94% of them, including WannaCry, Locky, CryptoLocker and CryptoWall. Remarkably, it also nullifies NotPetya, the latest offspring of the family which so far has eluded all defenses. Keywords: ransomware, cryptographic malware, randomness, mitigation. 1 Introduction Ransomware is a malware, a malicious software that blocks access to victim’s data. In contrast to traditional malware, whose break-down is permanent, ransomware’s damage is reversible: access to files can be restored on the payment of a ransom, usually a few hundreds US dollars in virtual coins. Despite being relatively new, this cyber-crime is spreading fast and it is believed to become soon a worldwide pandemic. According to [24], a US Govern- ment’s white paper dated June 2016, on average more than 4,000 ransomware attacks occurred daily in the USA. This is 300-percent increase from the previous year and such important increment is probably due to the cyber-crime’s solid business model: with a small investment there is a considerable pecuniary gain which, thanks to the virtual currency technology, can be collected reliably and in a way that is not traceable by the authorities.
    [Show full text]
  • Book of Abstracts
    The Association for Literary and Lingustic Computing The Association for Computers and the Humanities Society for Digital Humanities — Société pour l’étude des médias interactifs Digital Humanities 2008 The 20th Joint International Conference of the Association for Literary and Linguistic Computing, and the Association for Computers and the Humanities and The 1st Joint International Conference of the Association for Literary and Linguistic Computing, the Association for Computers and the Humanities, and the Society for Digital Humanities — Société pour l’étude des médias interactifs University of Oulu, Finland 24 – 29 June, 2008 Conference Abstracts International Programme Committee • Espen Ore, National Library of Norway, Chair • Jean Anderson, University of Glasgow, UK • John Nerbonne, University of Groningen, The Netherlands • Stephen Ramsay, University of Nebraska, USA • Thomas Rommel, International Univ. Bremen, Germany • Susan Schreibman, University of Maryland, USA • Paul Spence, King’s College London, UK • Melissa Terras, University College London, UK • Claire Warwick, University College London, UK, Vice Chair Local organizers • Lisa Lena Opas-Hänninen, English Philology • Riikka Mikkola, English Philology • Mikko Jokelainen, English Philology • Ilkka Juuso, Electrical and Information Engineering • Toni Saranpää, English Philology • Tapio Seppänen, Electrical and Information Engineering • Raili Saarela, Congress Services Edited by • Lisa Lena Opas-Hänninen • Mikko Jokelainen • Ilkka Juuso • Tapio Seppänen ISBN: 978-951-42-8838-8 Published by English Philology University of Oulu Cover design: Ilkka Juuso, University of Oulu © 2008 University of Oulu and the authors. _____________________________________________________________________________Digital Humanities 2008 Introduction On behalf of the local organizers I am delighted to welcome you to the 25th Joint International Conference of the Association for Literary and Linguistic Computing (ALLC) and the Association for Computers and the Humanities (ACH) at the University of Oulu.
    [Show full text]
  • Cryptanalysis of the Random Number Generator of the Windows Operating System
    Cryptanalysis of the Random Number Generator of the Windows Operating System Leo Dorrendorf School of Engineering and Computer Science The Hebrew University of Jerusalem 91904 Jerusalem, Israel [email protected] Zvi Gutterman Benny Pinkas¤ School of Engineering and Computer Science Department of Computer Science The Hebrew University of Jerusalem University of Haifa 91904 Jerusalem, Israel 31905 Haifa, Israel [email protected] [email protected] November 4, 2007 Abstract The pseudo-random number generator (PRNG) used by the Windows operating system is the most commonly used PRNG. The pseudo-randomness of the output of this generator is crucial for the security of almost any application running in Windows. Nevertheless, its exact algorithm was never published. We examined the binary code of a distribution of Windows 2000, which is still the second most popular operating system after Windows XP. (This investigation was done without any help from Microsoft.) We reconstructed, for the ¯rst time, the algorithm used by the pseudo- random number generator (namely, the function CryptGenRandom). We analyzed the security of the algorithm and found a non-trivial attack: given the internal state of the generator, the previous state can be computed in O(223) work (this is an attack on the forward-security of the generator, an O(1) attack on backward security is trivial). The attack on forward-security demonstrates that the design of the generator is flawed, since it is well known how to prevent such attacks. We also analyzed the way in which the generator is run by the operating system, and found that it ampli¯es the e®ect of the attacks: The generator is run in user mode rather than in kernel mode, and therefore it is easy to access its state even without administrator privileges.
    [Show full text]
  • Component Evolution and Versioning State of the Art
    ACM SIGSOFT Software Engineering Notes Page 1 January 2005 Volume 30 Number 1 Component Evolution and Versioning State of the Art Alexander Stuckenholz FernUniversitat¨ in Hagen Lehrgebiet fur¨ Datenverarbeitungstechnik Universitatsstrasse¨ 27, 58084 Hagen, Germany [email protected] October 26, 2004 Abstract the kind of information about the running system as well as the lifecycle of the component in which the mechanisms are applied. Emerging component-based software development architectures The most frequently used technology in this area is versioning. promise better re-use of software components, greater flexibility, Versioning mechanisms are typically used to distinguish evolv- scalability and higher quality of services. But like any other piece ing software artifacts over time. As we will show in section 4 on of software too, software components are hardly perfect, when be- page 4, these mechanisms play an important role in component ing created. Problems and bugs have to be fixed and new features based software development too. need to be added. This paper presents an overview of current versioning mecha- This paper analyzes the problem of component evolution and nisms and substitutability checks in the area of component based the incompatibilities which result during component upgrades. software development. In a comparison, these systems will be We present the state of the art in component versioning and com- evaluated against their usability in the case of component up- pare the different methods in component models, frameworks and grades. Here we come to the conclusions that the available so- programming languages. Special attention is put on the automa- lutions are not sufficient to reduce version conflicts in component tion of processes and tool support in this area.
    [Show full text]
  • Chrome, Edge, and Firefox Integration
    Blue Prism 7.0 Chrome, Edge, and Firefox Integration Document Revision: 1.0 Blue Prism 7.0 | Chrome, Edge, and Firefox Integration Trademarks and Copyright Trademarks and Copyright The information contained in this document is the proprietary and confidential information of Blue Prism Limited and should not be disclosed to a third-party without the written consent of an authorized Blue Prism representative. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, including photocopying without the written permission of Blue Prism Limited. © Blue Prism Limited, 2001 – 2021 © “Blue Prism”, the “Blue Prism” logo and Prism device are either trademarks or registered trademarks of Blue Prism Limited and its affiliates. All Rights Reserved. All trademarks are hereby acknowledged and are used to the benefit of their respective owners. Blue Prism is not responsible for the content of external websites referenced by this document. Blue Prism Limited, 2 Cinnamon Park, Crab Lane, Warrington, WA2 0XP, United Kingdom. Registered in England: Reg. No. 4260035. Tel: +44 370 879 3000. Web: www.blueprism.com Commercial in Confidence Page ii Blue Prism 7.0 | Chrome, Edge, and Firefox Integration Contents Contents TrademarksContents and Copyright iiiii Chrome, Edge, and Firefox integration 4 Browser extension compatibility 4 Chrome browser extension 5 Prerequisites 5 Install the Chrome browser extension using the Blue Prism installer 6 Install from the Bluecommand Prism line installer 67 Install the
    [Show full text]
  • Open Source As an Alternative to Commercial Software
    OPEN-SOURCE AS AN ALTERNATIVE TO COMMERCIAL SOFTWARE Final Report 583 Prepared by: Sean Coleman 2401 E Rio Salado Pkwy. #1179 Tempe, Arizona 85281 March 2009 Prepared for: Arizona Department of Transportation 206 South 17th Avenue Phoenix, Arizona 85007 in cooperation with U.S. Department of Transportation Federal Highway Administration The contents of this report reflect the views of the authors who are responsible for the facts and the accuracy of the data presented herein. The contents do not necessarily reflect the official views or policies of the Arizona Department of Transportation or the Federal Highway Administration. This report does not constitute a standard, specification, or regulation. Trade or manufacturers’ names which may appear herein are cited only because they are considered essential to the objectives of the report. The U.S. Government and the State of Arizona do not endorse products or manufacturers. TECHNICAL REPORT DOCUMENTATION PAGE 1. Report No. 2. Government Accession No. 3. Recipient’s Catalog No. FHWA-AZ-09-583 4. Title and Subtitle 5. Report Date: March, 2009 Open-Source as an Alternative to Commercial Software 6. Performing Organization Code 7. Authors: 8. Performing Organization Sean Coleman Report No. 9. Performing Organization Name and Address 10. Work Unit No. Sean Coleman 11. Contract or Grant No. 2401 E Rio Salado Pkwy, #1179 SPR-583 Tempe, AZ 85281 12. Sponsoring Agency Name and Address 13. Type of Report & Period Arizona Department of Transportation Covered 206 S. 17th Ave. Phoenix, AZ 85007 14. Sponsoring Agency Code Project Managers: Frank DiBugnara, John Semmens, and Steve Rost 15. Supplementary Notes 16.
    [Show full text]
  • Idiomatic and Reproducible Software Builds Using Containers for Reliable Computing
    Master’s Thesis Idiomatic and Reproducible Software Builds using Containers for Reliable Computing Jonas Weber April 18, 2016 arXiv:1702.02999v1 [cs.SE] 9 Feb 2017 Albert-Ludwigs-Universität Freiburg Faculty of Engineering Department of Computer Science Bioinformatics Eingereichte Masterarbeit gemäß den Bestimmungen der Prüfungsordnung der Albert-Ludwidgs-Universität Freiburg für den Studiengang Master of Science (M.Sc.) Informatik vom 19. August 2005. Bearbeitungszeitraum 12. Januar 2016 - 12. Juli 2016 Gutachter Prof. Dr. Rolf Backofen Head of the Group Chair for Bioinformatics Zweitgutachter Prof. Dr. Christoph Scholl Director Chair of Operating Systems Betreuer Dr. Björn Grüning Abstract Containers as the unit of application delivery are the ‘next big thing’ in the software development world. They enable developers to create an executable image containing an application bundled with all its dependencies which a user can run inside a controlled environment with virtualized resources. Complex workflows for business-critical applications and research environments require a high degree of reproducibility which can be accomplished using uniquely identified images as units of computation. It will be shown in this thesis that the most widely used approaches to create an image from pre-existing software or from source code lack the ability to provide idiomaticity in their use of the technology as well as proper reproducibility safe-guards. In the first part, existing approaches are formalized and discussed and a new approach is introduced. The approaches are then evaluated using a suite of three different examples. This thesis provides a framework for formalizing operations involving a layered file system, containers and images, and a novel approach to the creation of images using utility containers and layer donning fulfilling the idiomaticity and reproducibility criteria.
    [Show full text]
  • Software Development a Practical Approach!
    Software Development A Practical Approach! Hans-Petter Halvorsen https://www.halvorsen.blog https://halvorsen.blog Software Development A Practical Approach! Hans-Petter Halvorsen Software Development A Practical Approach! Hans-Petter Halvorsen Copyright © 2020 ISBN: 978-82-691106-0-9 Publisher Identifier: 978-82-691106 https://halvorsen.blog ii Preface The main goal with this document: • To give you an overview of what software engineering is • To take you beyond programming to engineering software What is Software Development? It is a complex process to develop modern and professional software today. This document tries to give a brief overview of Software Development. This document tries to focus on a practical approach regarding Software Development. So why do we need System Engineering? Here are some key factors: • Understand Customer Requirements o What does the customer needs (because they may not know it!) o Transform Customer requirements into working software • Planning o How do we reach our goals? o Will we finish within deadline? o Resources o What can go wrong? • Implementation o What kind of platforms and architecture should be used? o Split your work into manageable pieces iii • Quality and Performance o Make sure the software fulfills the customers’ needs We will learn how to build good (i.e. high quality) software, which includes: • Requirements Specification • Technical Design • Good User Experience (UX) • Improved Code Quality and Implementation • Testing • System Documentation • User Documentation • etc. You will find additional resources on this web page: http://www.halvorsen.blog/documents/programming/software_engineering/ iv Information about the author: Hans-Petter Halvorsen The author currently works at the University of South-Eastern Norway.
    [Show full text]
  • Vulnerabilities of the Linux Random Number Generator
    Black Hat 2006 Open to Attack Vulnerabilities of the Linux Random Number Generator Zvi Gutterman Chief Technology Officer with Benny Pinkas Tzachy Reinman Zvi Gutterman CTO, Safend Previously a chief architect in the IP infrastructure group for ECTEL (NASDAQ:ECTX) and an officer in the Israeli Defense Forces (IDF) Elite Intelligence unit. Master's and Bachelor's degrees in Computer Science from the Israeli Institute of Technology. Ph.D. candidate at the Hebrew University of Jerusalem, focusing on security, network protocols, and software engineering. - Proprietary & Confidential - Safend Safend is a leading provider of innovative endpoint security solutions that protect against corporate data leakage and penetration via physical and wireless ports. Safend Auditor and Safend Protector deliver complete visibility and granular control over all enterprise endpoints. Safend's robust, ultra- secure solutions are intuitive to manage, almost impossible to circumvent, and guarantee connectivity and productivity, without sacrificing security. For more information, visit www.safend.com. - Proprietary & Confidential - Pseudo-Random-Number-Generator (PRNG) Elementary and critical component in many cryptographic protocols Usually: “… Alice picks key K at random …” In practice looks like random.nextBytes(bytes); session_id = digest.digest(bytes); • Which is equal to session_id = md5(get next 16 random bytes) - Proprietary & Confidential - If the PRNG is predictable the cryptosystem is not secure Demonstrated in - Netscape SSL [GoldbergWagner 96] http://www.cs.berkeley.edu/~daw/papers/ddj-netscape.html Apache session-id’s [GuttermanMalkhi 05] http://www.gutterman.net/publications/2005/02/hold_your_sessions_an_attack_o.html - Proprietary & Confidential - General PRNG Scheme 0 0 01 Stateseed 110 100010 Properties: 1. Pseudo-randomness Output bits are indistinguishable from uniform random stream 2.
    [Show full text]