www.GossamerSec.com Assurance Activity Report for Samsung Electronics Co., Ltd.Samsung Galaxy Devices on Android 11 - Spring Version 0.3 03/11/2021 Prepared by: Gossamer Security Solutions Accredited Security Testing Laboratory – Common Criteria Testing Columbia, MD 21045 Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Document: AAR-VID11160 © 2021 Gossamer Security Solutions, Inc. All rights reserved. Version 0.3, 03/11/2021 REVISION HISTORY Revision Date Authors Summary Version 0.1 02/03/2021 Compton Initial Draft Version 0.2 03/08/2021 Compton Addressed ECR Comments Version 0.3 03/11/2021 Compton Addressed ECR Comments The TOE Evaluation was Sponsored by: Samsung Electronics Co., Ltd. 416 Maetan-3dong, Yeongtong-gu, Suwon-si, Gyeonggi-do, 443-742 Korea Evaluation Personnel: James Arnold Tammy Compton Andrew Ding Common Criteria Versions: Common Criteria for Information Technology Security Evaluation Part 1: Introduction, Version 3.1, Revision 5, April 2017 Common Criteria for Information Technology Security Evaluation Part 2: Security functional components, Version 3.1, Revision 5, April 2017 Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components, Version 3.1, Revision 5, April 2017 Common Evaluation Methodology Versions: Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017 GSS CCT Assurance Activity Report Page 2 of 215 © 2021 Gossamer Security Solutions, Inc. Document: AAR-VID11160 All rights reserved. Version 0.3, 03/11/2021 TABLE OF CONTENTS 1. Introduction ........................................................................................................................................................... 8 1.1 Device Equivalence ...................................................................................................................................... 8 1.2 CAVP Algorithms ........................................................................................................................................ 13 2. Protection Profile SFR Assurance Activities ......................................................................................................... 18 2.1 Security audit (FAU) ................................................................................................................................... 18 2.1.1 Audit Data Generation (FAU_GEN.1) .................................................................................................... 18 2.1.2 Audit Review (FAU_SAR.1) .................................................................................................................... 19 2.1.3 Selective Audit (FAU_SEL.1) .................................................................................................................. 20 2.1.4 Audit Storage Protection (FAU_STG.1) ................................................................................................. 21 2.1.5 Prevention of Audit Data Loss (FAU_STG.4) ......................................................................................... 22 2.2 Cryptographic support (FCS) ...................................................................................................................... 23 2.2.1 Cryptographic key generation (FCS_CKM.1) ......................................................................................... 23 2.2.2 Cryptographic Key Generation (IKE) (MOD_VPN_CLI_V2.1:FCS_CKM.1) ............................................. 27 2.2.3 Cryptographic Key Generation (Symmetric Keys for WPA2 Connections) - WLAN (PP_WLAN_CLI_EP_V1.0:FCS_CKM.1) ................................................................................................................. 27 2.2.4 Cryptographic key establishment (FCS_CKM.2(1)) ............................................................................... 30 2.2.5 Cryptographic key establishment (While device is locked) (FCS_CKM.2(2)) ........................................ 33 2.2.6 Cryptographic Key Distribution (GTK) - WLAN (PP_WLAN_CLI_EP_V1.0:FCS_CKM.2) ......................... 34 2.2.7 Extended: Cryptographic Key Support (FCS_CKM_EXT.1) .................................................................... 36 2.2.8 Extended: Cryptographic Key Random Generation (FCS_CKM_EXT.2) ................................................. 37 2.2.9 Extended: Cryptographic Key Generation (FCS_CKM_EXT.3) ............................................................... 43 2.2.10 Extended: Key Destruction (FCS_CKM_EXT.4) .................................................................................. 48 2.2.11 Extended: TSF Wipe (FCS_CKM_EXT.5) ............................................................................................ 50 2.2.12 Extended: Salt Generation (FCS_CKM_EXT.6) .................................................................................. 52 2.2.13 Cryptographic operation (FCS_COP.1(1)) ......................................................................................... 53 2.2.14 Cryptographic operation (FCS_COP.1(2)) ......................................................................................... 58 2.2.15 Cryptographic operation (FCS_COP.1(3)) ......................................................................................... 59 2.2.16 Cryptographic operation (FCS_COP.1(4)) ......................................................................................... 61 2.2.17 Cryptographic operation (FCS_COP.1(5)) ......................................................................................... 61 2.2.18 Extended: HTTPS Protocol (FCS_HTTPS_EXT.1) ................................................................................ 62 GSS CCT Assurance Activity Report Page 3 of 215 © 2021 Gossamer Security Solutions, Inc. Document: AAR-VID11160 All rights reserved. Version 0.3, 03/11/2021 2.2.19 IPsec (MOD_VPN_CLI_V2.1:FCS_IPSEC_EXT.1) ................................................................................ 63 2.2.20 Extended: Initialization Vector Generation (FCS_IV_EXT.1) ............................................................. 78 2.2.21 Extended: Cryptographic Operation (Random Bit Generation) (FCS_RBG_EXT.1) ........................... 79 2.2.22 Extended: Cryptographic Operation (Random Bit Generation) (FCS_RBG_EXT.2) ........................... 81 2.2.23 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.1) ....................................................... 81 2.2.24 Extended: Cryptographic Algorithm Services (FCS_SRV_EXT.2) ....................................................... 82 2.2.25 Extended: Cryptographic Key Storage (FCS_STG_EXT.1) .................................................................. 83 2.2.26 Extended: Encrypted Cryptographic Key Storage (FCS_STG_EXT.2)................................................. 86 2.2.27 Extended: Integrity of encrypted key storage (FCS_STG_EXT.3) ...................................................... 87 2.2.28 Extended: TLS Protocol (FCS_TLSC_EXT.1) ....................................................................................... 88 2.2.29 Extensible Authentication Protocol-Transport Layer Security - WLAN (PP_WLAN_CLI_EP_V1.0:FCS_TLSC_EXT.1) ......................................................................................................... 94 2.2.30 Extended: TLS Protocol (FCS_TLSC_EXT.2) ....................................................................................... 97 2.2.31 TLS Client Protocol - WLAN (PP_WLAN_CLI_EP_V1.0:FCS_TLSC_EXT.2) .......................................... 98 2.3 User data protection (FDP) ........................................................................................................................ 98 2.3.1 Extended: Security access control (FDP_ACF_EXT.1) ............................................................................ 98 2.3.2 Extended: Security access control (FDP_ACF_EXT.2) .......................................................................... 102 2.3.3 Extended: Security attribute based access control (FDP_ACF_EXT.3) ................................................ 102 2.3.4 Extended: Protected Data Encryption (FDP_DAR_EXT.1) ................................................................... 103 2.3.5 Extended: Sensitive Data Encryption (FDP_DAR_EXT.2) ..................................................................... 105 2.3.6 Extended: Subset information flow control (FDP_IFC_EXT.1) ............................................................ 107 2.3.7 MOD_VPN_CLI_V2.1: FDP_IFC_EXT.1: Extended: Subset information flow control ........................... 109 2.3.8 Extended: Storage of Critical Biometric Parameters (FDP_PBA_EXT.1) ............................................. 110 2.3.9 Full Residual Information Protection (MOD_VPN_CLI_V2.1:FDP_RIP.2) ............................................ 111 2.3.10 Extended: User Data Storage (FDP_STG_EXT.1) ............................................................................. 112 2.3.11 Extended: Inter-TSF user data transfer protection (FDP_UPC_EXT.1) ........................................... 112 2.4 Identification and authentication (FIA) .................................................................................................... 114 2.4.1 Extended: Authentication failure handling (FIA_AFL_EXT.1) .............................................................. 114 2.4.2 Extended: Bluetooth User Authorization (FIA_BLT_EXT.1)