C011 Certification Report - CyberSecurity€¦ · Page ii PUBLIC Document ... (MySEFs) to conduct security evaluations of ICT products, ... C011 Certification Report - NetMATRIX TLE

C011 Certification Report

NetMATRIX TLE Version 1.0 Build number

00010003

File name: ISCB-5-RPT-C011-CR-v1a

Version: v1a Date of document: 15 March 2011 Document classification: PUBLIC

For general inquiry about us or our services, please email: [email protected]

PUBLIC

FINAL

C011 Certification Report - NetMATRIX TLE Version

1.0 Build number 00010003

ISCB-5-RPT-C011-CR-v1a

Page i

PUBLIC

C011 Certification Report

NetMATRIX TLE Version 1.0 Build number 00010003

15 March 2011

ISCB Department

CyberSecurity Malaysia

Level 8, Block A, Mines Waterfront Business Park,

No 3 Jalan Tasik, The Mines Resort City

43300 Seri Kembangan, Selangor, Malaysia

Tel: +603 8946 0999 Fax: +603 8946 0888

http://www.cybersecurity.my

PUBLIC

FINAL




Page ii

PUBLIC

Document Authorisation

DOCUMENT TITLE: C011 Certification Report - NetMATRIX TLE Version 1.0

Build number 00010003

DOCUMENT REFERENCE: ISCB-5-RPT-C011-CR-v1a

ISSUE: v1a

DATE: 15 March 2011

DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND

DISTRIBUTION

PUBLIC

FINAL




Page iii

PUBLIC

Copyright Statement

The copyright of this document, which may contain proprietary information, is the property

of CyberSecurity Malaysia.

The document shall be held in safe custody.

©CYBERSECURITY MALAYSIA, 2011

Registered office:

Level 8, Block A,

Mines Waterfront Business Park,

No 3 JalanTasik, The Mines Resort City,

43300 Seri Kembangan

Selangor Malaysia

Registered in Malaysia – Company Limited by Guarantee

Company No. 726630-U

Printed in Malaysia

PUBLIC

FINAL




Page iv

PUBLIC

Forward

The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been

established under the 9th Malaysian Plan to increase Malaysia’s competitiveness in quality

assurance of information security based on the Common Criteria (CC) standard and to build

consumers’ confidence towards Malaysian information security products.

The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed

Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT

products, systems and protection profiles against internationally recognised standards. The

results of these evaluations are certified by the Malaysian Common Criteria Certification

Body (MyCB) Unit, a unit established within Information Security Certification Body (ISCB)

Department, CyberSecurity Malaysia.

By awarding a Common Criteria certificate, the MyCB asserts that the product complies with

the security requirements specified in the associated Security Target. A Security Target is a

requirements specification document that defines the scope of the evaluation activities. The

consumer of certified IT products should review the Security Target, in addition to this

certification report, in order to gain an understanding of any assumptions made during the

evaluation, the IT product's intended environment, its security requirements, and the level of

confidence (i.e., the evaluation assurance level) that the product satisfies the security

requirements.

This certification report is associated with the certificate of product evaluation dated 15

March 2011, and the Security Target (Ref [6]). The certification report, Certificate of product

evaluation and security target are posted on the MyCC Scheme Certified Product Register

(MyCPR) at www.cybersecurity.my/mycc.

Reproduction of this report is authorized provided the report is reproduced in its entirety.

PUBLIC

FINAL




Page v

PUBLIC

Disclaimer

The Information Technology (IT) product identified in this certification report and its

associate certificate has been evaluated at an accredited and licensed evaluation facility

established under the Malaysian Common Criteria Evaluation and Certification (MyCC)

Scheme (Ref [4]) using the Common Methodology for IT Security Evaluation, version 3.1

revision 3 (Ref [3]), for conformance to the Common Criteria for IT Security Evaluation,

version 3.1 revision 3 (Ref [2]). This certification report and its associated certificate apply

only to the specific version and release of the product in its evaluated configuration. The

evaluation has been conducted in accordance with the provisions of the MyCC Scheme and

the conclusions of the evaluation facility in the evaluation technical report are consistent

with the evidence adduced. This certification report and its associated certificate is not an

endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that

recognises or gives effect to this certification report and its associated certificate, and no

warranty of the IT product by CyberSecurity Malaysia or by any other organisation that

recognises or gives effect to this certificate, is either expressed or implied.

PUBLIC

FINAL




Page vi

PUBLIC

Document Change Log

RELEASE DATE PAGES

AFFECTED

REMARKS/CHANGE REFERENCE

v1 4 March 2011 All Final Released.

v1a 15 March 2011 Page iv Add the date of the certificate.

PUBLIC

FINAL




Page vii

PUBLIC

Executive Summary

NetMATRIX TLE (Terminal Line Encryption) v1.0 Build number 00010003 (hereafter referred

as NetMATRIX TLE) from GHL Systems Berhad is the Target of Evaluation (TOE). NetMATRIX TLE is a software solution that essentially provides a secure channel (through encryption and

message authentication (MAC)), similar to VPN or SSL, layered over an Acquirer’s existing

POS infrastructure, to the terminals.

The security functionalities within the scope of TOE evaluation are:

• Protection of confidential data elements exchanged with the terminals by encrypting

all such data sent to the terminals on behalf of the processing host, and by

decrypting any such data received from the terminals before forwarding it to the

processing host; and

• Protection of integrity and authenticity of the messages exchanged with the terminal

by protecting the whole message with a Message Authentication Code (MAC).

The key used to derivate the unique Terminal keys within the TOE, can only be inserted by

authorised personal within an access of a secure and protected environment.

The TOE consists of three major components which are the web administration subsystem,

the TLE subsystem, and database subsystem.

The scope of the evaluation is defined by the Security Target (Ref [6]), which identifies

assumptions made during the evaluation, the intended environment for NetMATRIX TLE, the

security requirements, and the evaluation assurance level at which the product is intended to

satisfy the security requirements. Consumers are advised to verify that their operating

environment is consistent with that specified in the security target, and to give due

consideration to the comments, observations and recommendations in this certification

report.

This report describes the findings of the IT security evaluation of NetMATRIX TLE, to the

Common Criteria (CC) evaluation assurance level of EAL 2 and that the evaluation was

conducted in accordance with relevant criteria and the requirements of the Malaysia’s

Common Criteria Certification (MyCC) Scheme. The evaluation was performed by

CyberSecurity Malaysia Security Evaluation Facilities (MySEF). The evaluation was completed

on 28 January 2011.

Malaysian Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification

Body, declares that the NetMATRIX TLE evaluation meets all the conditions of the

Arrangement on the Recognition of Common Criteria Certificates and that the product will

be listed on the MyCC Scheme Certified Products Register (MyCPR) at

www.cybersecurity.my/mycc.

It is the responsibility of the user to ensure that the NetMATRIX TLE meets their requirement

and security needs. It is recommended that prospective users of the NetMATRIX TLE refer to

the ST (Ref [6]), and read this Certification Report prior to deciding whether to purchase and

deploy the product.

PUBLIC

FINAL




Page viii

PUBLIC

Table of Contents

1 Target of Evaluation ........................................................................... 1

1.1 TOE Description ............................................................................................... 1

1.2 TOE Identification ............................................................................................ 1

1.3 Security Policy .................................................................................................. 2

1.4 TOE Architecture ............................................................................................. 2

1.5 Clarification of Scope ...................................................................................... 5

1.6 Assumptions .................................................................................................... 6

1.7 Evaluated Configuration ................................................................................. 6

1.8 Delivery Procedures ........................................................................................ 7

1.9 Documentation ................................................................................................ 7

2 Evaluation ............................................................................................ 8

2.1 Evaluation Analysis Activities ........................................................................ 8

2.1.1 Life-cycle support ........................................................................................... 8

2.1.2 Development .................................................................................................... 8

2.1.3 Guidance documents ...................................................................................... 8

2.1.4 IT Product Testing ........................................................................................... 9

3 Results of the Evaluation ................................................................. 12

3.1 Assurance Level Information ....................................................................... 12

3.2 Recommendation ........................................................................................... 12

Annex A References ....................................................................................... 13

A.1 References ...................................................................................................... 13

A.2 Terminology ................................................................................................... 13

A.2.1 Acronyms ........................................................................................................ 13

A.2.2 Glossary of Terms ......................................................................................... 14

Index of Tables

Table 1: TOE Identification .................................................................................................................. 1

PUBLIC

FINAL




Page ix

PUBLIC

Table 2: Independent Functional Testing ......................................................................................... 9

Table 3: List of Acronyms .................................................................................................................. 13

Table 4: Glossary of Terms ............................................................................................................... 14

Index of Figures

Figure 1: Subsystem of the TOE ......................................................................................................... 3

Figure 2: Physical boundary of the TOE ............................................................................................ 4

PUBLIC

FINAL




Page 1

PUBLIC

1 Target of Evaluation

1.1 TOE Description

1 The Target of Evaluation (TOE), NetMATRIX TLE (Multi-Application Transaction

Routing and Identification eXchange – Terminal Line Encryption) v1.0 Build number

00010003 (hereafter referred as NetMATRIX TLE) is a software solution to the line

tapping fraud problems that are plaguing the card acquirer. NetMATRIX TLE

essentially provides a secure channel (through encryption and message

authentication (MAC)), similar to VPN or SSL, layered over an Acquirer’s existing POS

infrastructure, to the terminals.

2 NetMATRIX TLE is a software solution that once installed and configured operates

akin to a VPN-server. It will co-operate with the terminals to ensure that all sensitive

information exchanged with the terminals is encrypted and that the whole messages

are protected against changes and impersonation.

3 Administration and configuration of NetMATRIX TLE is performed via a web-based

management interface, using web browser on a PC.

1.2 TOE Identification

4 The details of the TOE are identified in Table 1 below.

Table 1: TOE Identification

Scheme Malaysian Common Criteria Evaluation and Certification

(MyCC) Scheme

Project Identifier C011

TOE Name NetMATRIX TLE

TOE Version v1.0 Build number 00010003

Security Target Title Security Target for NetMATRIX TLE

Security Target Version v1.0 public

Security Target Date 25 January 2011

Assurance Level Evaluation Assurance Level 2 (EAL2)

Criteria Common Criteria July 2009, Version 3.1, Revision 3

Methodology Common Methodology for Information Technology Security Evaluation, July 2009, Version 3.1 Revision 3

Protection Profile

Conformance None

Common Criteria

Conformance

CC Part 2 Conformant

CC Part 3 Conformant

Package conformant to EAL2

PUBLIC

FINAL




Page 2

PUBLIC

Sponsor and Developer

GHL Systems Berhad

L5-E-7B, Enterprise 4, Technology Park Malaysia, Bukit

Jalil, 57000 Kuala Lumpur, Malaysia.

Evaluation Facility CyberSecurity Malaysia MySEF

1.3 Security Policy

5 NetMATRIX TLE implements security policy listed below:

a) Access control policy (web) - login and logout to the web administration

subsystem by trusted administrators, manual terminal key and MAC key

import and management.

b) Information flow control policy (ISO8586) – data communicated to and from

the TOE are protected during communication by enforcement of the

encryption and MAC mechanisms in the TOE.

6 The details of the access control and information flow control security policy are

described in Section 8 of the Security Target (Ref [6]).

7 The NetMATRIX TLE administrator is able to configure the policy rules as per stated

above through the web administration subsystem (administration interface) of the

web-based management interface.

1.4 TOE Architecture

8 NetMATRIX TLE Security Target defines clearly both logical and physical boundaries.

9 Figure 1 illustrates in the architecture of the TOE logical boundary of NetMATRIX TLE

in terms of subsystem and interfaces. The TOE’s main functionality for encryption

and message authentication hashing are done in the Terminal Line Encryption (TLE)

subsystem.



Figure

10 The TOE consists of three subsystems: the web administration subsystem, the TLE

subsystem and the database subsystem

a) Terminal Line Encryption (TLE) subsystem

terminals it sends/receives over the ISO8583 interface, encrypts/decrypts all

sensitive data and MAC generates/verifies the entire message. The TLE

subsystem forwards only the correctly decrypted and MAC verified messages

from the terminals to the processing host, and ensures that all messages

from the processing host to the terminals are properly encrypted and MACed.

The TLE subsystem also implements the proxy terminal

administration interface inside the enc

remote key injection functionality

b) Web administration subsystem

administration interface of the TOE. It allows the administrators to perform all

the management tasks, in particular the management of the MAC/encryption

keys. Access to this interface is primarily restricted to the administrators by

the environment. Although there is an access control mechanism in place for

administrator login,

the scope of evaluation.

c) Database subsystem

the web administration subsystem

stored in the TLE subsystem itself. Thi

remotely.

PUBLIC

FINAL

NetMATRIX TLE Version ISCB-5-RPT-C011

PUBLIC

Figure 1: Subsystem of the TOE

The TOE consists of three subsystems: the web administration subsystem, the TLE

subsystem and the database subsystem:

Terminal Line Encryption (TLE) subsystem - for all communication with the






The TLE subsystem also implements the proxy terminal

administration interface inside the encryption+MAC tunnel, used by the

remote key injection functionality but this is out of the evaluation

Web administration subsystem - provides the human


ment tasks, in particular the management of the MAC/encryption



administrator login, privilege and password configuration but this is out of

the scope of evaluation.

Database subsystem - is the central location where the TLE subsystem and

he web administration subsystem store and retrieve persistent data not

stored in the TLE subsystem itself. This subsystem cannot be accessed

C011-CR-v1a

Page 3

The TOE consists of three subsystems: the web administration subsystem, the TLE

for all communication with the






The TLE subsystem also implements the proxy terminal-accessible

ion+MAC tunnel, used by the

evaluation scope.

provides the human-accessible


ment tasks, in particular the management of the MAC/encryption



and password configuration but this is out of

is the central location where the TLE subsystem and

store and retrieve persistent data not

cannot be accessed



Figure

11 NetMATRIX TLE is delivered

with its guidance document

a) Hardware and firmware: None (underlying hardware to be provided by

environment)

b) Software: NetMAT

provided by the environment)

c) Guidance for TOE user (manuals for the

with the TOE):

i) NetMATRIX TLE

ii) NetMATRIX TLE

iii) NetMATRIX TLE

d) Guidance for the terminal developer (design documentation for terminal

software developers, provided under NDA only):

i) NetMATRIX TLE

12 NetMATRIX TLE is a software type TOE and it is not able to run stand

requires the environment to support its o

a) Microsoft Windows Server 2003 Service Pack 2, standard edition, including IIS

(hardening is required)

b) MSDE or Microsoft SQL Server Express Edition 2005

PUBLIC

FINAL

NetMATRIX TLE Version ISCB-5-RPT-C011

PUBLIC

Figure 2: Physical boundary of the TOE

delivered to the customer in a form of an installation CD together

with its guidance document that consists of the item listed below:

Hardware and firmware: None (underlying hardware to be provided by

NetMATRIX TLE provided as installation CD (underlying OS to be

provided by the environment)

Guidance for TOE user (manuals for the NetMATRIX TLE, delivered together

NetMATRIX TLE Operations Manual, version 1.00

NetMATRIX TLE Installation Guide Version 1.01

NetMATRIX TLE Administration User Manual, version 1.20

Guidance for the terminal developer (design documentation for terminal

software developers, provided under NDA only):

NetMATRIX TLE Terminal Functional Specification, version 1.60

is a software type TOE and it is not able to run stand

requires the environment to support its operation. The environment provide:

Microsoft Windows Server 2003 Service Pack 2, standard edition, including IIS

(hardening is required)

MSDE or Microsoft SQL Server Express Edition 2005

C011-CR-v1a

Page 4

to the customer in a form of an installation CD together

Hardware and firmware: None (underlying hardware to be provided by

provided as installation CD (underlying OS to be

, delivered together

Administration User Manual, version 1.20

Guidance for the terminal developer (design documentation for terminal

Terminal Functional Specification, version 1.60

is a software type TOE and it is not able to run stand-alone. It

peration. The environment provide:

Microsoft Windows Server 2003 Service Pack 2, standard edition, including IIS

PUBLIC

FINAL




Page 5

PUBLIC

c) Server hardware to run said OS and the TOE has been tested on:

i) Intel x86 compatible CPU, Pentium 4 2.18Ghz.

ii) 1.5GB RAM.

iii) 160GB Disk.

d) Power and TCP/IP network connectivity

e) Physical and logical protection against attacks

1.5 Clarification of Scope

13 This section clarifies the evaluation boundary as per claim stated in the Security

Target (Ref [6]) and the following evaluated security functions:

a) Line encryption – the TOE protects the confidential data elements exchanged

with the terminals by encrypting all such data sent to the terminals on behalf

of the processing host, and by decrypting any such data received from the

terminals before forwarding it to the processing host. The key used for

encryption will be unique per terminal. The following cryptographic

algorithms are supported:

i) Tiny Encryption Algorithm (TEA)

ii) Data Encryption Standard (1DES)

iii) Triple-DES (3DES)

iv) Advanced Encryption Standard (AES)

b) Message MACing (Message authentication code) – the TOE protect the

integrity and authenticity of the messages exchanged with the terminal by

protecting the whole message with a Message Authentication Code (MAC). All

messages sent to the terminal on behalf of the processing host must contain

a valid MAC for that terminal. For all messages received from the terminals,

the MAC must be checked and only if the MAC is valid for that terminal must

the TOE forward the message to the processing host. The following MACing

algorithms are supported:

i) X9.9 using TEA/DES/3DES/AES

ii) X9.19 using 3DES (also known as RMAC)

iii) SHA-1 + X9.9 as above

iv) SHA-1 + X9.19 as above

14 Listed below are the limits of evaluation scope on security functionality of the

NetMATRIX TLE as described in section 2.2.2 of the Security Target (Ref [6]):

a) NetMATRIX TLE can perform aggregation and limited routing of transactions.

This is not evaluated functionality. It does not impact the encryption/MAC

mechanisms.

b) NetMATRIX TLE can perform remote key injection, a mechanism designed to

facilitate easy deployment of keys with terminals in the field. This mechanism

is a possible method for generating the unique terminal keys (by derivation

PUBLIC

FINAL




Page 6

PUBLIC

from the applicable Base Derivation Key), distributing them and inserting

them in a way fulfilling the terminal personalization requirements, but

explicitly not part of the evaluation. This mechanism uses the trusted path

provided by the TOE under the SFR “Error! Reference source not found.” for utual authentication and confidentiality. Alternatively administrator can

generate the unique terminal keys with a stand-alone application and

distribute it following the terminal personalization requirements. This is also

outside the scope of evaluation.

c) NetMATRIX TLE allows administrator to perform practical management tasks

other then the key import, such as starting/stopping/restarting subsystems

for maintenance, administration of the proxy-terminals used for the remote

key injection and logging for fault seeking. All these tasks are not evaluated

functionality. Note that these tasks require administrator access, which is

protected by the environment.

15 In terms of packaging, the product can be installed on behalf of the customer or

even delivered pre-installed on a hardware appliance, following the preparative

guidance. As such it can be installed on a platform (hardware+software) that allows

connections such as X.25, and these are translated to the TCP/IP-transmission layer

as expected. This is consistent with the TOE in its evaluated configuration.

1.6 Assumptions

16 This section summarises the security aspects of the environment or configuration in

which the IT product is intended to operate. Consumers should understand their own

IT environments and what is required for secure operation of the NetMATRIX TLE as

defined in subsequent sections and in the Security Target. Customer can make

informed decisions about the risks associated with using the NetMATRIX TLE by

considering assumptions about usage and environment settings as requirements for

the product’s installation and its operating environment, to ensure its proper and

secure operation.

17 However, there is no assumption declared in the Security Target since the specific

item needs by the TOE was explained in section of Security Objective for Operational

Environment.

1.7 Evaluated Configuration

18 This section describes the configurations of the TOE that are included within the

scope of the evaluation. The assurance gained via evaluation applies specifically to

the TOE in the defined evaluated configuration according to the secure installation

procedure (Ref 23).

19 The TOE is delivered in CD as an application by the developer’s authorized

personnel. The developer’s authorized personnel is responsible to make changes to

the configuration based on the secure installation procedure (Ref 23) as following:

a) Installation of NetMATRIX TLE Web Administration component.

b) Installation of NetMATRIX TLE Service component.

c) Initialize the database for NetMATRIX TLE usage.

PUBLIC

FINAL




Page 7

PUBLIC

1.8 Delivery Procedures

20 NetMATRIX TLE is delivered to the customers in a form of an installation CD together

with its guidance document using the procedure described in the Common Criteria

Addendum for NetMATRIX TLE (Ref [8]). This is to ensure that NetMATRIX TLE is

securely transferred from the development environment to the customer. The

delivery procedures are outlined below:

a) The developer is responsible to deliver the version of NetMATRIX TLE as

described in the ST to the customer.

b) Typically NetMATRIX TLE is hand-delivered by the developer to ensure it is

protected against tampering and impersonation, and the developer will

assists in the installation of NetMATRIX TLE. However, other trusted

arrangements can also be made.

c) It is the responsibility of the customer to verify that they have received the

correct items listed in the Security Target and this Certification Report (the

product plus the documentation) from the developer. Customers are advice to

contact the developer immediately for further instructions and not to use the

product in security sensitive situations if they found that they have received

the incorrect or tampered items.

1.9 Documentation

21 It is important that the NetMATRIX TLE is used in accordance with guidance

documentation in order to ensure secure usage of the product.

22 The following documentation is provided by the developer to the end user as

guidance to ensure secure usage and operation of the product:

a) NetMATRIX Administration User Manual v1.20, 16 Oct 2005

b) NetMATRIX TLE Operations Manual v1.00, 10 May 2007.

23 The following guidance documentation is provided by the developer for secure

installation of the product:

a) NetMATRIX TLE Installation Guide v1.01, 29 June 2010

b) Common Criteria Addendum for NetMATRIX TLE v0. 11, 24 Aug 2010

24 The following public documentation is available for secure acceptance of the

product:

a) Common Criteria Addendum for NetMATRIX TLE v0. 11, 24 Aug 2010

b) Security Target for the NetMATRIX TLE Version 1.0 Build number 00010003,

11 Nov 2010

PUBLIC

FINAL




Page 8

PUBLIC

2 Evaluation

25 The evaluation was conducted in accordance with the requirements of the Common

Criteria, Version 3.1 Revision 3 (Ref [2]) and the Common Methodology for IT

Security Evaluation (CEM), Version 3.1 Revision 3 (Ref [3]). The evaluation was

conducted at Evaluation Assurance Level 2 (EAL2). The evaluation was performed

conformant to the MyCC Scheme Policy (MyCC_P1) (Ref [4]) and MyCC Scheme

Evaluation Facility Manual (MyCC_P3) (Ref [5]).

2.1 Evaluation Analysis Activities

26 The evaluation activities involved a structured evaluation of NetMATRIX TLE,

including the following components:

2.1.1 Life-cycle support

27 An analysis of the NetMATRIX TLE configuration management system and associated

documentation was performed. The evaluators found that the NetMATRIX TLE

configuration items were clearly and uniquely labelled, and that the access control

measures as described in the configuration management documentation are effective

in preventing unauthorized access to the configuration items. The developer’s

configuration management system was evaluated, and it was found to be consistent

with the provided evidence.

28 The evaluators examined the delivery documentation and determined that it

described all of the procedures required to maintain the integrity of NetMATRIX TLE

during distribution to the consumer.

2.1.2 Development

29 The evaluators analysed the NetMATRIX TLE functional specification; they determined

that the design completely and accurately describes the TOE security functionality

(TSF) interfaces (TSFIs), and how the TSF implements the security functional

requirements (SFRs).

30 The evaluators examined the NetMATRIX TLE specification; they determined that the

structure of the entire TOE is described in terms of subsystems. They also

determined that, it provides a complete, accurate, and high-level description of the

SFR-enforcing behaviour of the SFR-enforcing subsystems.

31 The evaluators examined the NetMATRIX TLE security architecture description; they

determined that the information provided in the evidence is presented at a level of

detail commensurate with the descriptions of the SFR-enforcing abstractions

contained in the functional specification and TOE design.

2.1.3 Guidance documents

32 The evaluators examined the NetMATRIX TLE preparative user guidance and

operational user guidance, and determined that it’s sufficiently and unambiguously

PUBLIC

FINAL




Page 9

PUBLIC

described how to securely transform the TOE into its evaluated configuration, and

how to use and administer the product in order to fulfil the security objectives for

the operational environment. The evaluators examined and tested the preparative

and operational guidance, and determined that they were complete and sufficiently

detailed to result in a secure configuration.

2.1.4 IT Product Testing

33 Testing at EAL2 consists of assessing developer tests, independent function test, and

performing penetration tests. NetMATRIX TLE testing was conducted by

CyberSecurity Malaysia MySEF at CyberSecurity Malaysia MySEF Lab in Seri

Kembangan Selangor where it was subjected to an independent functional and

penetration tests. The detailed testing activities, including configurations,

procedures, test cases, expected results and actual results are documented in a

separate Test Plan Reports.

2.1.4.1 Assessment of Developer Tests

34 The evaluators verified that the developer has met their testing responsibilities by

examining their test plans, and reviewing their test results, as documented in the

Evaluation Technical Report (Ref [7]) (not a public document because it contains

information proprietary to the developer and/or the evaluator).

35 The evaluators analysed the developer’s test coverage and found them to be

complete and accurate. The correspondence between the tests identified in the

developer’s test documentation and the interfaces in the functional specification,

TOE design and security architecture description was complete.

2.1.4.2 Independent Functional Testing

36 Independent functional testing is the evaluation conducted by evaluator based on the

information gathered by examining design and guidance documentation, examining

developer’s test documentation, executing a sample of the developer’s test plan, and

creating test cases that augmented the developer tests.

37 The results of the independent test developed and performed by the evaluators to

verify the TOE functionality as follows:

Table 2: Independent Functional Testing

DESCRIPTION SECURITY

FUNCTION

TSFI STATUS

The test is developed to see

whether the sensitive fields in

message from TOE to terminal

are really encrypted.

Cryptographic

(Encryption)

ISO8583 TSFI Passed

The tests are developed to

ensure the TOE performs correct

encryption and MACing

operations for all the supported

Cryptographic

(Encryption)

Cryptographic (MAC)

ISO8583 TSFI

Passed

PUBLIC

FINAL




Page 10

PUBLIC

DESCRIPTION SECURITY

FUNCTION

TSFI STATUS

algorithms.

The tests are developed to

simulate multiple terminals of

transaction to a single host and

verify it is working properly.

Cryptographic

(Encryption)

Cryptographic (MAC)

ISO8583 TSFI

Passed

38 All tests performed by the evaluators produced the expected results and as such the

TOE behaved as expected.

2.1.4.3 Penetration Testing

39 The evaluators performed a vulnerability analysis of the TOE in order to identify

potential vulnerabilities in the TOE. This vulnerability analysis considered public

domain sources and an analysis of guidance documentation, and functional

specification.

40 From the vulnerability analysis, the evaluators conducted penetration testing to

determine that the TOE is resistant to attacks performed by an attacker possessing

Basic attack potential. The following factors have been taken into consideration

during the penetration tests:

a) Time taken to identify and exploit (elapsed time);

b) Specialist technical expertise required (specialist expertise);

c) Knowledge of the TOE design and operation (knowledge of the TOE);

d) Window of opportunity; and

e) IT hardware/software or other equipment required for exploitation.

41 The penetration tests focused on :

a) Generic vulnerabilities;

b) Web based penetration testing;

c) Tampering

42 The results of the penetration testing note that a number of additional vulnerabilities

exist that are dependent on an attacker effort, time, skill/knowledge, and focused

tools/exploits use to gather the TOE configuration information. Therefore, it is

important to ensure that the TOE is use only in its evaluated configuration and in

secure environment. It is important that the Administrator of the TOE to be trained

and trusted.

2.1.4.4 Testing Results

43 Tests conducted for the NetMATRIX TLE produced the expected results and

demonstrated that the product behaved as specified in its Security Target and

functional specification.

PUBLIC

FINAL




Page 11

PUBLIC

PUBLIC

FINAL




Page 12

PUBLIC

3 Results of the Evaluation

44 After due consideration during the oversight of the evaluation execution by the

certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common

Criteria Certification Body certifies the evaluation of NetMATRIX TLE performed by

CyberSecurity Malaysia MySEF.

45 CyberSecurity Malaysia MySEF found that NetMATRIX TLE upholds the claims made in

the Security Target (Ref [6]) and supporting documentation, and has met the

requirements of the Common Criteria (CC) assurance level EAL2.

46 Certification is not a guarantee that a TOE is completely free of exploitable

vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities

undiscovered in its claimed security functionality. This risk is reduced as the certified

level of assurance increases for the TOE.

3.1 Assurance Level Information

47 EAL2 provides a basic level of assurance by a limited Security Target and an analysis

of the security functions in that Security Target, using a design document,

architectural document, functional and interface specification and guidance

documentation, to understand the security behaviour.

48 The analysis is supported by a search for potential vulnerabilities in the public

domain, developer’s test cases and independent testing (functional and penetration)

of the TOE security functions.

49 EAL2 also provides assurance through unique identification of the TOE and

implementation of a configuration management system so that there is no ambiguity

in terms of which instance of the TOE is being evaluated.

3.2 Recommendation

50 In addition to ensure secure usage of the product, below are additional

recommendations for NetMATRIX TLE:

a) Ensure strict adherence to the acceptance checklist as mentioned in the Common Criteria Addendum for NetMATRIX TLE (Ref [8]).

b) Use it only in its evaluated configuration.

c) HTTPS is recommended to be deployed to ensure that the communication via web administration subsystem is secured.

d) Implement strong cryptographic algorithm with long key size.

PUBLIC

FINAL




Page 13

PUBLIC

Annex A References

A.1 References

[1] Arrangement on the recognition of Common Criteria Certificates in the field of

Information Technology Security, May 2000.

[2] The Common Criteria for Information Technology Security Evaluation, Version 3.1,

Revision 3, July 2009.

[3] The Common Evaluation Methodology for Information Technology Security

Evaluation, Version 3.1, Revision 3, July 2009.

[4] MyCC Scheme Policy (MyCC_P1), v1a, CyberSecurity Malaysia, December 2009.

[5] MyCC Scheme Evaluation Facility Manual (MyCC_P3), v1, December 2009.

[6] Security Target for the NetMATRIX TLE Version 1.0 Build number 00010003, version

1.0 public, 25 January 2011.

[7] Evaluation Technical Report NetMATRIX TLE Version 1.0 Build number 00010003,

version 1.2, 28 January 2011.

[8] Common Criteria Addendum for NetMATRIX TLE v0.11, 24 August 2010.

[9] NetMATRIX TLE Terminal Functional Specification (SFE) v1.60, 10 March 2010.

[10] NetMATRIX TLE Installation Guide v1.01, 29 June 2010.

[11] NetMATRIX TLE Administration User Manual v1.20, 16 Oct 2005

[12] NetMATRIX TLE Operations Manual v1.00, 10 May 2007.

A.2 Terminology

A.2.1 Acronyms

Table 3: List of Acronyms

Acronym Expanded Term

CB Certification Body

CC Common Criteria (ISO/IEC15408)

CEM Common Evaluation Methodology (ISO/IEC 18045)

CCRA Common Criteria Recognition Arrangement

IEC International Electrotechnical Commission

ISO International Organisation for Standardization

ISCB Information Security Certification Body

MAC Message Authentication Code

PUBLIC

FINAL




Page 14

PUBLIC

Acronym Expanded Term

MyCB Malaysian Common Criteria Certification Body

MyCC Malaysian Common Criteria Evaluation and Certification

Scheme

MyCPR MyCC Scheme Certified Products Register

MySEF Malaysian Security Evaluation Facility

NDA None Disclosure Agreement

POS Point of sale

PP Protection Profile

ST Security Target

TLE Terminal Line Encryption

TOE Target of Evaluation

A.2.2 Glossary of Terms

Table 4: Glossary of Terms

Term Definition and Source

CC International

Interpretation

An interpretation of the CC or CEM issued by the CCMB that

is applicable to all CCRA participants.

Certificate The official representation from the CB of the certification of

a specific version of a product to the Common Criteria.

Certification Body An organisation responsible for carrying out certification and

for overseeing the day-today operation of an Evaluation and

Certification Scheme. Source CCRA

Consumer The organisation that uses the certified product within their

infrastructure.

Developer The organisation that develops the product submitted for CC

evaluation and certification.

Evaluation The assessment of an IT product, IT system, or any other

valid target as defined by the scheme, proposed by an

applicant against the standards covered by the scope defined

in its application against the certification criteria specified in

the rules of the scheme. Source CCRA and MS ISO/IEC Guide

65

PUBLIC

FINAL




Page 15

PUBLIC

Term Definition and Source

Evaluation and Certification

Scheme

The systematic organisation of the functions of evaluation

and certification under the authority of a certification body

in order to ensure that high standards of competence and

impartiality are maintained and that consistency is achieved.

Source CCRA.

Interpretation Expert technical judgement, when required, regarding the

meaning or method of application of any technical aspect of

the criteria or the methodology. An interpretation may be

either a national interpretation or a CC international

interpretation.

Certifier The certifier responsible for managing a specific certification

task.

Evaluator The evaluator responsible for managing the technical aspects

of a specific evaluation task.

Maintenance Certificate The update of a Common Criteria certificate to reflect a

specific version of a product that has been maintained under

the MyCC Scheme.

National Interpretation An interpretation of the CC, CEM or MyCC Scheme rules that

is applicable within the MyCC Scheme only.

Security Evaluation Facility An organisation (or business unit of an organisation) that

conducts ICT security evaluation of products and systems

using the CC and CEM in accordance with Evaluation and

Certification Scheme policy

Sponsor The organisation that submits a product for evaluation and

certification under the MyCC Scheme. The sponsor may also

be the developer.

--- END OF DOCUMENT ---

Documents

C011 Certification Report - CyberSecurity€¦ · Page ii PUBLIC Document ... (MySEFs) to conduct security evaluations of ICT products, ... C011 Certification Report - NetMATRIX TLE