Transcription
Assurance Activity ReportForCyberArk Privileged Account Security - Digital Vault ServerIncluding Enterprise Password Vault (EPV) v10.4Document version: 1.0September 2019Document prepared by
Table of Contents1Introduction . 42CC Used for this Evaluation . 43Technical Decisions . 43.1Applied TDs . 43.2TDs Not Applicable to this Evaluation . 54Evaluation Documents . 55TOE Testing Environment. 765.1TOE Testing Environment Componens . 75.2TOE Tested Configuration . 75.3Test Tools . 10SFR Assurance Activities for SW-APP PP . 116.1Cryptographic Support (FCS) . 116.1.1FCS CKM.1(1) Cryptographic Asymmetric Key Generation . 116.1.2FCS CKM.2 Cryptographic Key Establishment . 116.1.3FCS CKM EXT.1 Cryptographic Key Generation Services . 126.1.4FCS COP.1(1) Cryptographic Operations — Encryption/Decryption . 126.1.5FCS COP.1(2) Cryptographic Operations — Hashing . 126.1.6FCS COP.1(3) Cryptographic Operations — Signing . 136.1.7FCS COP.1(4) Cryptographic Operations — Keyed-Hashed MessageAuthentication . 136.1.8FCS RBG EXT.1 Random Bit Generation Services . 136.1.9FCS RBG EXT.2 Random Bit Generation from Applications . 156.1.10FCS STO EXT.1 Storage of Credentials . 156.1.11FCS TLSS EXT.1 — TLS Server Protocol . 166.2User Data Protection (FDP) . 226.2.1FDP DAR EXT.1 Encryption of Sensitive Application Data . 226.2.2FDP DEC EXT.1 Access to Platform Resources. 236.2.3FDP NET EXT.1 Network Communication . 246.3Identification and Authentication (FIA) . 246.3.1FIA X509 EXT.1 X509 Certificate Validation . 246.3.2FIA X509 EXT.2 X509 Certificate Authentication . 276.4Security Management (FMT) . 286.4.1FMT CFG EXT.1 Secure by Default Configuration . 282
6.4.2FMT MEC EXT.1 Supported Configuration Mechanism . 296.4.3FMT SMF.1 Specification of Management Functions . 306.5Privacy (FPR) . 306.5.1FPR ANO EXT.1 User Consent for Transmission of Personally IdentifiableInformation . 306.67Protection of the TSF (FPT) . 316.6.1FPT AEX EXT.1 Anti-Exploitation Capabilities . 316.6.2FPT API EXT.1 use of Supported Services and APIs . 336.6.3FPT LIB EXT.1 Use of Third-Party Libraries . 336.6.4FPT TUD EXT.1 Integrity for Installation and Update . 346.6.5FTP DIT EXT.1 Protection of Data in Transit . 36SAR Assurance Activities for SW-APP PP . 387.1Class ADV. 387.1.17.2ADV FSP.1 – Basic Functional Specification . 38Class AGD. 387.2.1AGD OPE.1 – Operational User Guidance. 387.2.2AGD PRE.1 – Preparative Procedures. 387.3Class ALC . 397.3.1ALC CMC.1 – Labelling of the TOE . 397.3.2ALC CMS.1 – TOE CM Coverage . 397.4Class ALC . 407.4.17.5Class ATE . 407.5.17.6ALC TSU EXT.1 – Timely Security Updates . 40ATE IND.1 – Independent Testing Conformance . 40Class AVA. 417.6.1AVA VAN.1 – Vulnerability Survey. 413
1IntroductionThis CyberArk Evaluation Technical Report documents the evaluation of CyberArkPrivileged Account Security - Digital Vault Server Including Enterprise Password Vault(EPV) v10.4 developed by CyberArk Software Ltd.CyberArk is the sponsor of this evaluation which is being conducted by DXC TechnologySecurity Testing and Certification Laboratory (STCL) under the United States NationalInformation Assurance Partnership (NIAP) Common Criteria Evaluation and ValidationScheme (CCEVS.The CyberArk Privileged Account Security – Digital Vault Server ST and TOE claimcompliance to the Protection Profile for Application Software, Version 1.2, 2016-04-22.2CC Used for this EvaluationThe standards used in the conduct of this evaluation:33.1 Common Criteria for Information Technology Security Evaluation Part 1:Introduction and general model April 2017 Version 3.1 Revision 5 Common Criteria for Information Technology Security Evaluation Part 2:Security functional components September 2017 Version 3.1 Revision 5 Common Criteria for Information Technology Security Evaluation Part 3:Security assurance components September 2017 Version 3.1 Revision 5 Common Methodology for Information Technology Security Evaluationmethodology September 2017 Version 3.1 Revision 5Technical DecisionsApplied TDs0389 — Handling of SSH EP claim for platform (supersedes TD0177)0382 — Configuration Storage Options for Apps0380 — Linux Keyring Requirement in FCS STO EXT.1 (supersedes TD0192)0359 — Buffer Protection0358 — Cipher Suites for TLS in SWApp v1.20327 — Default file permissions for FMT CFG EXT.1.20326 — RSA-based key establishment schemes (supersedes TD0293 and TD0107)0300 — Sensitive Data in FDP DAR EXT.10268 — FMT MEC EXT.1 Clarification0267 — TLSS testing - Empty Certificate Authorities list0241 — Removal of Test 4.1 in FCS TLSS EXT.1.14
0238 — User-modifiable files FPT AEX EXT.1.40221 — FMT SMF.1.1 - Assignments moved to Selections0217 — Compliance to RFC5759 and RFC5280 for using CRLs0178 — Integrity for installation tests in AppSW PP0174 — Optional Ciphersuites for TLS0172 — Additional APIs added to FCS RBG EXT.1.10163 — Update to FCS TLSC EXT.1.1 Test 5.4 and FCS TLSS EXT.1.1 Test0131 — Update to FCS TLSS EXT.1.1 Test 4.50121 — FMT MEC EXT.1.1 Configuration Options0119 — FCS STO EXT.1.1 in PP APP v1.23.2TDs Not Applicable to this Evaluation0427 — Reliable Time Source – The ST does not make this claim0392 — FCS TLSC EXT.1.2 Wildcard Checking — This TD is not applied as the STdoes not claim FCS TLSC EXT.1.0390 — Cryptographically Secure RNG — This TD is not applicable. In the ST,FCS RBG EXT.1.1 is completed with the selection ‘implements DRBG functionality’.0385 — FTP DIT EXT.1 Assurance Activity Clarification – The TD changes assuranceactivity for the MOD VPN CLI which is not relevant for this evaluation.0364 — Android mmap testing for FPT AEX EXT.1.1 — The TD applies to Androidsystems; the TOE runs on Windows.0305 — Handling of TLS connections with and without mutual authentication — ST doesnot claim FCS TLSC EXT.1, FCS TLSC EXT.2, or FCS TLSC EXT.40304 — Update to FCS TLSC EXT.1.2 — ST does not claim FCS TLSC EXT.10296 — Update to FCS HTTPS EXT.1.3 — The ST does not FCS HTTPS EXT.10295 — Update to FPT AEX EXT.1.3 Assurance Activities — N/A- The TOE runs onWindows Server 2012 R2 which does not support either EMMET or the Windows Defender Exploit Guard.0244 — FCS TLSC EXT - TLS Client Curves Allowed — The ST does not claimFCS TLSC EXT.10215 — Update to FCS HTTPS EXT.1.2 — The ST does not FCS HTTPS EXT.14Evaluation Documents CyberArk Software Ltd. Privileged Account Security - Digital Vault Serverincluding Enterprise Password Vault (EPV) v10.4 Security Target, v.0.17CyberArk Software Ltd. Privileged Account Security - Digital Vault Server5
including Enterprise Password Vault (EPV) v10.4 Guidance DocumentationSupplement AS PPv1.2, v0.8CyberArk: Privileged Account Security Installation Guide; Version 10.4CyberArk: Privileged Account Security System Requirements; Version 10.4CyberArk; Privileged Account Security End-user Guide; Version 10.4;CyberArk; Privileged Account Security Reference Guide; Version 10.4CyberArk; Privileged Account Security Implementation Guide; Version 10.4CyberArk; Privileged Account Security Release Notes; Version 10.4Protection Profile for Application Software, Version 1.26
5TOE Testing Environment5.1TOE Testing Environment ComponensEnterprise Password Vault Installation Package is EPV CD Image RIs-v10.4.1 whichincludes the CD Image for all the PAS components under evaluation. The EPV CD imageincludes: EPV version 10.04.01.27 OpenSSL FIPS Object Module version 2.0.15 validated module MySQL Enterprise Server Advanced Edition version 5.6.15 Windows Componentso PSM version 10.4.100.25o PVWA version 10.4.10.4o CPM version 10.4.10.7 Linux Componentso PSMP CARKpsmp-10.4.1-3 CARKpsmp-infra-10.04-1.1o OPM – CARKaim-10.4-01.2CyberArk Version Check tool v1.5 — Downloaded from the CyberArk SupportSite and manually transferred to the EPV, Windows Components, and LinuxComponents hosts to be installed along with the other components from the EPVCD image.5.2TOE Tested ConfigurationThe TOE and all required environment components are running on a VMware workstation.(referenced as the Host). Dell Optiplex 7040 on Intel i7-6700 processor running MicrosoftWindows 10 Enterprise and VMware Workstation 14 Pro, version 14.1.2.Machine 1 —EPV TOE HostHardware: virtual machineOS and other software: Windows Server 2012 R2 Standard NET Framework 4.5.51650 TOE7
EPV v10.4 which includes:o EPV software version 10.04.01.27o MySQL version 5.6.15o OpenSSL FIPS Object Module version 2.0.14o CyberArk Version Check Tool v1.5IP Address: 192.168.11.100Hotname: NIAP 01Test Tools Windows SysInternals package WiresharkMachine 2 — Active Directory Server – As the authentication server and the CA Serverand will also serve as a target, that client users will access through the TOEHardware: Virtual machineOS: Windows Server 2012 R2IP Address: 192.168.11.10Hostname: 000-DC1Test Tools WiresharkMachine 3 — Windows Component TOE hostHardware: Virtual MachineOS: Windows Server 2012 R2IIS version 8.5.9600.16384.NET version 4.5.51650IP address: 192.168.11.20Hostname: NIAP 02CyberArk Software: PSM version 10.4.100.25 PVWA version 10.4.10.4 CPM version 10.4.10.7 CyberArk Version Check Tool v1.58
Test Tools: Wireshark version 2.6.7.64 Zenmap Windows SysInternals packageMachine 4 – Linux Component TOE hostHardware: Virtual machineOS: RHEL 7.4 (Maipo)IP address: 192.168.11.30Hostname: NIAP 03OpenSSL-1.0.2k-8.e17CyberArk software: PSMPo CARKpsmp-10.4.1-3o CARKpsmp-infra-10.04-1.1 OPM – CARKaim-10.4-01.2 OpenSSL version 1.0.2k OpebSSH-7.4 with SSH2.0 CyberArk Version Check Tool v1.5Machine 5: used in the testing environment as a client accessing targets through the TOE.–(Windows Client)Hardware: Virtual machineOS: Windows 10 ProHostname: Desktop-10I8A6IP address: 192.168.11.50Browser: Chrome version 73.0.3683.86Test tool:Zenmap – to do a scan of the EPV/Vault and show that no open ports are visible tonon-PAS components in the EPV environment.Wireshark version 2.6.6openSSL s clientOpenSSL S Server9
CCTool5.3Test ToolsWireshark — used for testing TLS and Certificate Validation (FIA).Windows Snipping tools– used in the testing environment for grabbing the screenshots.OpenSSL — used for testing TLS Server and TLS client - it is used to create a dummyCA and variations of certificates that couldn’t be created in Windows.CCtool — used to manipulate TLS traffic and to test the TLS requirementsWindows System Internals – used to test the FDP requirements10
66.1SFR Assurance Activities for SW-APP PPCryptographic Support (FCS)6.1.1 FCS CKM.1(1) Cryptographic Asymmetric Key Generation6.1.1.1 FCS CKM.1.1Assurance ActivityThe evaluator shall ensure that the TSS identifies the key sizes supported by the TOE. Ifthe ST specifies more than one scheme, the evaluator shall examine the TSS to verify thatit identifies the usage for each scheme.The evaluator shall verify that the AGD guidance instructs the administrator how toconfigure the TOE to use the selected key generation scheme(s) and key size(s) for alluses defined in this PP.If the application invokes platform-provided functionality for asymmetric keygeneration, then the evaluator shall examine the TSS to verify that it describes how thekey generation functionality is invoked.If the application implements asymmetric key generation, then the following testactivities shall be carried out.(See PP for test AA).Table 15 in the TSS Section 8.1.1 lists the algorithms and key sizes used by the TOE forthe ECC asymmetric key generation scheme that it implements. The table lists thecryptographic operations performed by the TOE, mapping usage, associated cryptographicalgorithms, key sizes as well the relevant CAVP certificate number.Section 3.1.1.6 of the Guidance Supplement document includes a statement that the TOEis installed in FIPS Mode and no configuration of cryptographic settings is required.All Test AA for this SFR are met by the CAVP certification.6.1.2 FCS CKM.2 Cryptographic Key Establishment6.1.2.1 FCS CKM.2.1Assurance ActivityThe evaluator shall ensure that the supported key establishment schemes correspond tothe key generation schemes identified in FCS CKM.1.1. If the ST specifies more thanone scheme, the evaluator shall examine the TSS to verify that it identifies the usage foreach scheme.The evaluator shall verify that the AGD guidance instructs the administrator how toconfigure the TOE to use the selected key establishment scheme(s).(See PP for test AA)11
Table 15 in the TSS Section 8.1.1 lists the key establishment scheme used by the TOE aswell the usage; the key establishment scheme is consistent with the key generation schemeidentified in FCS CKM.1(1). Section 3.1.1.6 of the Guidance Supplement documentincludes a statement that the TOE is installed in FIPS Mode and no configuration ofcryptographic settings is required.All Test AA for this SFR are met by the CAVP certification.6.1.3 FCS CKM EXT.1 Cryptographic Key Generation Services6.1.3.1 FCS CKM EXT.1.1Assurance ActivityThe evaluator shall inspect the application and its developer documentation to determineif the application needs asymmetric key generation services. If not, the evaluator shallverify the generate no asymmetric cryptographic keys selection is present in the ST.Otherwise, the evaluation activities shall be performed as stated in the selection-basedrequirements.Table 15 in the TSS indicates that the TOE implements asymmetric key generation servicesfor use with the Vault Safes and tor TLS. The TOE needs asymmetric key generation forTLS.6.1.4 FCS COP.1(1) Cryptographic Operations — Encryption/Decryption6.1.4.1 FCS COP.1Assurance ActivityThe evaluator checks the AGD documents to determine that any configuration that isrequired to be done to configure the functionality for the required modes and key sizesis present.(See PP for test AA.)Section 3.1.1.6 of the Guidance Supplement document includes a statement that the TOEis installed in FIPS Mode and no configuration of cryptographic settings is required.All Test AA for this SFR are addressed by the CAVP certificate.6.1.5 FCS COP.1(2) Cryptographic Operations — Hashing6.1.5.1 FCS COP.1Assurance Activity12
The evaluator shall check that the association of the hash function with other applicationcryptographic functions (for example, the digital signature verification function) isdocumented in the TSS.The TSF hashing functions can be implemented in one of two modes. The first mode isthe byte-oriented mode. In this mode the TSF hashes only messages that are an integralnumber of bytes in length; i.e., the length (in bits) of the message to be hashed is divisibleby 8. The second mode is the bit-oriented mode. In this mode the TSF hashes messagesof arbitrary length.(See PP for test AA)TSSThe TSS in section 8.1.1. includes a statement that the SHA-256 and SHA-384 hashfunction are used in HMAC for TLS message integrity and authentication. The TOEimplements byte-oriented mode hashing functions.All test AA for this SFR are addressed with CAVP Certificate.6.1.6 FCS COP.1(3) Cryptographic Operations — Signing6.1.6.1 FCS COP.1Assurance Activity(See PP for test AA) – The PP does not define TSS or AGD AA for this SFR.See CAVP Certificate.6.1.7 FCS COP.1(4) Cryptographic Operations — Keyed-Hashed MessageAuthentication6.1.7.1 FCS COP.1Assurance Activity(See PP for test AA) – The PP does not define TSS or AGD AA for this SFRSee CAVP Certificate.6.1.8 FCS RBG EXT.1 Random Bit Generation Services6.1.8.1 FCS RBG EXT.1.1Assurance ActivityIf use no DRBG functionality is selected, the evaluator shall inspect the application andits developer documentation and verify that the application needs no random bitgeneration services13
If implement DRBG functionality is selected, the evaluator shall ensure that additionalFCS RBG EXT.2 elements are included in the ST.If invoke platform-provided DRBG functionality is selected, the evaluator performs thefollowing activities. The evaluator shall examine the TSS to confirm that it identifies allfunctions (as described by the SFRs included in the ST) that obtain random numbersfrom the platform RBG. The evaluator shall determine that for each of these functions,the TSS states which platform interface (API) is used to obtain the random numbers. Theevaluator shall confirm that each of these interfaces corresponds to the acceptableinterfaces listed for each platform below. The evaluator shall then decompile theapplication binary using an decompiler suitable for the application (TOE). Theevaluator shall search the output of the decompiler to determine that, for each API listedin the TSS, that API appears in the output. If th
This CyberArk Evaluation Technical Report documents the evaluation of CyberArk Privileged Account Security - Digital Vault Server Including Enterprise Password Vault (EPV) v10.4 developed by CyberArk Software Ltd. CyberArk is the sponsor of this evaluation which is being conducted by DXC Technology
