WIXLIB

National Information Assurance Partnership TMCommon Criteria Evaluation and Validation SchemeValidation ReportComputer AssociateseTrust Single Sign-On V7.0Report Number:Dated:VersionCCEVS-VR-05-0124October 24, 20051.0National Institute of Standards and TechnologyInformation Technology Laboratory100 Bureau DriveGaithersburg, MD 20899National Security AgencyInformation Assurance Directorate9800 Savage Road STE 6740Fort George G. Meade, MD 20755-6740

ACKNOWLEDGEMENTSValidation TeamJames E BroseyCatalina GomolkaMitretek Systems, Inc.Falls Church, VAOlin SibertOrion Security Solutions, Inc.McLean, VACommon Criteria Testing LaboratoryDebra BakerPeter KukuraClifton MorganCygnaCom Solutions (an Entrust Company)McLean, VA2

Table of Contents1Executive Summary . 51.11.21.32Identification . 72.12.22.32.433.23.33.43.5Primary Authentication Policy. 9IAPRI-1 Primary Authentication . 9IAPRI-2 Primary Authentication Options . 9IAPRI-3 Tickets for Primary Authentication. 9IAPRI-4 Reauthentication. 10Application Authentication Policy. 10IAAPP-1 Application Login Information . 10IAAPP-2 Application Password Authentication. 10Password Policy . 11PWD-1 Password Policy. 11PWD-2 Password Generation . 11Auditing Policy . 12AUDIT-1 Audit Generation. 12AUDIT-2 Audit Record Contents. 12TOE Access Policy . 12TA-1 Session Establishment . 12Assumptions and Clarification of Scope. 124.14.24.35Security Target and TOE Identification. 7IT Security Environment. 8Operating System. 8Hardware Platform. 8Security Policy. 83.14Evaluation Details. 6Interpretations . 6Threats to Security . 6Usage Assumptions. 12Environmental Objectives. 13Clarification of Scope . 13Architectural Information. 135.1General TOE Functionality. 145.2TOE Interfaces . 155.3TSF Subsystems and Functionality. 165.3.1Policy Manager Subsystem. 165.3.2Policy Server Subsystem. 165.3.3Authentication Agent Subsystem. 165.3.4SSO Client Subsystem . 173

6Documentation . 177IT Product Testing . 187.17.27.37.4Installation Testing. 18Developer Testing. 19Evaluation Team Independent Testing . 20Evaluation Team Penetration Testing. 218Evaluated Configuration . 229Results of the Evaluation. 241010.110.2Validation Comments/Recommendations . 24Valdation Comments . 24Validation Recommendations. 2511List of acryonyms . 2612Bibliography . 264

1EXECUTIVE SUMMARYThe evaluation of the Computer Associates International, Inc. product eTrust Single Sign-On V7.0was performed by CygnaCom Solutions (an Entrust Company) in the United States and was completedon 30 August 2005. The evaluation was conducted in accordance with the requirements of the CommonCriteria, version 2.2, Part 2 and Part 3, Evaluation Assurance Level (EAL 2), and the CommonMethodology for IT Security Evaluation (CEM), Version 2.2.CygnaCom Solutions is certified by the NIAP validation body for laboratory accreditation. Theconclusions of the testing laboratory in the evaluation technical report are consistent with the evidenceproduced. The CygnaCom Security Evaluation Laboratory team concluded that the Common Criteriarequirements for Evaluation Assurance Level (EAL2) have been met. This Validation Report is not anendorsement of the Computer Associates International, Inc product by any agency of the U.S.Government and no warranty of the product is either expressed or implied. The technical informationincluded in this report was obtained from the Evaluation Technical Report (ETR) produced byCygnaCom Solutions.The Target of Evaluation (TOE) is eTrust Single Sign-On (SSO) V7.0, which consists of: The Policy Server is a process that runs on a server host. The Policy Server controls eTrust SSOfunctions and maintains communications between the various eTrust SSO components and thesecure applications that the users invoke and updates audit logs. The Policy Manager is GUI application that is used to manage the information stored in the PolicyServer. It is installed on an administrator's Windows workstation with TCP/IP communication to thePolicy Server. Authentication Agents are processes that run, generally, on an authentication host server andverifies user credentials with the authentication host (e.g., Windows AD domain controller or aMainframe server). Once verified, the Auth Agent creates an SSO ticket which is passed back to theSSO Client and the SSO Client uses this ticket in any subsequent communications with the PolicyServer – the ticket verifies the authenticity of the user using the SSO Client. An SSO Client is a GUI application that runs on every user workstation. It provides an interface tothe end user to enter their primary login credentials and once verified, provides automatic access totheir SSO enabled applications without need to re-enter their application credentials.For this evaluation, the operating system and the hardware platform on which the software componentsare running are in the IT environment. Therefore, the operating system and the hardware platform havenot been evaluated or tested. The TOE relies on the IT environment to provide Protected Audit TrailStorage, User attribute definition, Management of security function behavior, Management of TSF data,Management of expiration time, Specification of management functions, Security roles, NonBypassability of the TSP, Domain separation and Reliable time stamps.5

1.1EVALUATION DETAILSEvaluated Product: eTrust Single Sign-On V7.0 with patch QO67747Developer: Computer Associates International, Inc., One Computer Associates Plaza, Islandia, NY11749CCTL: CygnaCom Solutions, 7925 Jones Branch Dr., Suite 5200 West, McLean, VA 22102-3321.Validation Team: James E Brosey, Mitretek Systems, Inc., 3150 Fairview Park South, Falls Church,VA 22042-4519.EAL: EAL2Completion Date: 30 August 2005.1.2INTERPRETATIONSThe Evaluation Team performed an analysis of the international and national interpretations regardingthe CC and the CEM and determined NIAP Interpretations are optional and are not considered for thisproduct in order to ensure acceptance internationally.The Evaluation Team determined that the following CCIMB interpretations were applicable to thisevaluation:Final Interpretation for RI # 137 - Rules governing binding should be specifiable.The Validation Team concluded that the Evaluation Team correctly addressed the interpretations that itidentified.1.3THREATS TO SECURITYThe Security Target identified the following threats that the evaluated product addresses:T.BadPasswordUsers may not select good passwords on their own, allowing attackers to guesstheir passwords and obtain unauthorized access to the TOE.T.ForgeAuthAn attacker may attempt to forge or copy authentication information, in order togain unauthorized access to resources protected by the TOE.T.ImpersonateAn attacker may attempt to impersonate another user, in order to gainunauthorized access to protected resources.T.MismanageAdministrators may make errors in the management of security functions and TSFdata, if administrative tools are not provided. Administrative errors may allowattackers to gain unauthorized access to resources protected by the TOE.6

T.NoAttributesThe TSF may not be able to correctly enforce its security policy with respect toidentification and authentication or TOE access due to not maintaining usersecurity attributes.T.OffHoursAn attacker may attempt to login as an authorized user and gain unauthorizedaccess to resources protected by the TOE. The attacker may login multiple times,thus locking out the authorized user.T.ReuseAn attacker may attempt to reuse authentication data, allowing the attacker to gainunauthorized access to resources protected by the TOE.T.TSF Compromise A user or process may cause, through an unsophisticated attack, TSF date, orexecutable code to be inappropriately viewed, modified, or deleted.T.UndetectAttempts by an attacker to violate the security policy and tamper with TSF datamay go undetected.T.WalkawayA logged-in user may leave a workstation without logging out, which couldenable an unauthorized user to gain access to the resources protected by the TOE.2IDENTIFICATION2.1SECURITY TARGET AND TOE IDENTIFICATIONSecurity Target – eTrust Single Sign-On V7.0 Security Target V2.0, dated October 20, 2005.TOE Identification – eTrust Single Sign-On V7.0 with patch QO67747The Evaluated Configuration of the TOE is software only and includes the following SoftwareComponent running on separate machines running Windows 2000 Server SP4s machines: Server 1: Policy serverServer 2: Authentication agentWorkstation 1: Policy ManagerWorkstation 2: SSO ClientCC Identification – Common Criteria for Information Technology Security Evaluation, Version 2.2,January 2004, ISO/IEC 15408.CEM Identification – Common Evaluation Methodology for Information Technology Security, Version2.2, Revision 256, January 2004.Assurance Level - This ST is Common Criteria Version 2.2, Part 2 extended and Part 3 conformant, atEvaluation Assurance Level 27

Keywords - Single Sign-On, Network Security, Policy Server, Identification, Authentication, Agent andTickets.2.2IT SECURITY ENVIRONMENTThe eTrust SSO ST levies requirements on the TOE as well as the IT Environment. In the case of thisTOE, the IT Environment includes the Operating System as well as other eTrust products (eTrust AccessControl, eTrust Directory, eTrust Audit), LDAP, SSL implementation, encrypted communication, thirdparty applications and the underlying hardware platforms.The TOE relies on the environment to provide Protected Audit Trail Storage; User attribute definition; Management of security function behavior; Management of TSF data; Specification of management functions; Security roles; Non-Bypassability of the TSP; Domain separation; and Reliable time stampsThe TOE was evaluated with the Microsoft Windows 2000 operating system in the TOE ITenvironment.2.3OPERATING SYSTEMThe TOE was evaluated on the Microsoft Windows 2000 Server operating system with Service Pack 42.4HARDWARE PLATFORMThe Computer Associates eTrust SSO product was evaluated using the hardware platform as describedin section 8 of this document.3SECURITY POLICYThe eTrust Single Sign-on TOE provides these security services: Primary Authentication Application Authentication Passwords8