Samsung Electronics Co., Ltd. Samsung Galaxy Devices On .

Samsung Electronics Co., Ltd. SamsungGalaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) SecurityTargetVersion: 0.52019/10/16Prepared for:Samsung Electronics Co., Ltd.416 Maetan-3dong, Yeongtong-gu, Suwon-si, Gyeonggi-do, 443-742 KoreaPrepared By:www.gossamersec.com

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security TargetVersion: 0.5Date: 2019/10/16Table of Contents1234567Security Target Introduction .41.1Security Target Reference . 51.2TOE Reference. 61.3TOE Overview . 61.4TOE Description. 61.4.1TOE Architecture . 91.4.2TOE Documentation . 11Conformance Claims . 122.1Conformance Rationale . 13Security Objectives . 143.1Security Objectives for the Operational Environment . 14Extended Components Definition. 15Security Requirements. 185.1TOE Security Functional Requirements . 185.1.1Security Audit (FAU) . 215.1.2Cryptographic Support (FCS) . 225.1.3User Data Protection (FDP) . 315.1.4Identification and Authentication (FIA) . 335.1.5Security Management (FMT) . 395.1.6Protection of the TSF (FPT) . 465.1.7TOE Access (FTA) . 495.1.8Trusted Path/Channels (FTP) . 505.2TOE Security Assurance Requirements . 505.2.1Development (ADV) . 515.2.2Guidance Documents (AGD) . 515.2.3Life-cycle Support (ALC) . 525.2.4Tests (ATE). 535.2.5Vulnerability Assessment (AVA) . 54TOE Summary Specification . 556.1Security Audit . 556.2Cryptographic Support . 576.3User Data Protection. 676.4Identification and Authentication . 716.5Security Management . 786.6Protection of the TSF . 796.7TOE Access . 836.8Trusted Path/Channels . 846.9Knox Workspace Container Functionality . 84TSF Inventory . 862 of 87

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security TargetVersion: 0.5Date: 2019/10/16List of TablesTable 1 - Glossary . 5Table 2 - Evaluated Devices . 7Table 3 - Equivalent Devices . 8Table 4 – Carrier Models . 8Table 5 – Technical Decisions . 12Table 6 - Extended SFRs and SARs . 17Table 7 – TOE Security Functional Requirements . 21Table 8 - Security Management Functions . 46Table 9 - Audit Events . 56Table 10 - Asymmetric Key Generation per Module . 57Table 11 - W-Fi Alliance Certificates . 58Table 12 - Salt Creation . 59Table 13 - BoringSSL Cryptographic Algorithms . 60Table 14 - Kernel Versions . 60Table 15 - Samsung Kernel Cryptographic Algorithms . 61Table 16 - TEE Environments . 61Table 17 - SCrypto TEE Cryptographic Algorithms . 61Table 18 - Hardware Components . 62Table 19 - Chipset Hardware Cryptographic Algorithms . 63Table 20 - Key Management Matrix. 66Table 21 - Access Control Categories . 69Table 22 - DAR Encryption Implementations . 69Table 23 - Device biometric sensor . 73Table 24 – Allowed Lock Screen Authentication Methods . 76Table 25 - Secure Boot Public Keys . 79Table 26 - Power-up Cryptographic Algorithm Self-Tests . 82Table 27 - TSF Files Inventory . 873 of 87

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security Target1Version: 0.5Date: 2019/10/16Security Target IntroductionThis section identifies the Security Target (ST) and Target of Evaluation (TOE) identification, STconventions, ST conformance claims, and the ST organization. The TOE consists of the Samsung GalaxyDevices on Android 9 provided by Samsung Electronics Co., Ltd. The TOE is being evaluated as a MobileDevice.The Security Target contains the following additional sections: Conformance Claims (Section 2) Security Objectives (Section 3) Extended Components Definition (Section 4) Security Requirements (Section 5) TOE Summary Specification (Section 6)Acronyms and TerminologyAAAssurance ActivityBAFBiometric Authentication FactorCCCommon CriteriaCCEVS Common Criteria Evaluation and Validation SchemeEAREntropy Analysis ReportGUIGraphical User InterfaceNFCNear Field CommunicationPADPresentation Attack DetectionPAIPresentation Attack InstrumentPCLProduct Compliant ListPPProtection ProfileSARSecurity Assurance RequirementSFRSecurity Functional RequirementSOFStrength of FunctionSTSecurity TargetTEETrusted Execution Environment (TrustZone)TOETarget of EvaluationU.S.United StatesVRValidation ReportGlossary4 of 87

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security TargetBoot Lock ScreenDevice Lock ScreenAndroid Lock ScreenFile-Based Encryption(FBE)Firmware Over-the-air(FOTA)On-Device Encryption(ODE)Version: 0.5Date: 2019/10/16The Boot Lock authentication screen appears on ODE-enabled devices on any powerup/restart cycle when the device is configured for Secure Start-up.Related to ODE.The Device Lock Screen is the Android OS lock screen (as opposed to the Boot Lockscreen).FBE allowed files to be encrypted with different keys and unlocked individually basedon different authentication/access controls. This is implemented as part of the ext4file system (using fscrypt).Firmware Over-the-air is a term for the process of updating the firmware (operatingsystem and services) on the device via a wireless connection as opposed to a wired(i.e. USB) connection.On-Device Encryption is a Full-Disk Encryption solution for Android devices where theuser data partition is encrypted at the block level. This is implemented with dm-crypt.When Secure Start-up is enabled, the user must authenticate to the Boot Lock Screenbefore Android will start.Related to Boot Lock Screen.Table 1 - GlossaryConventionsThe following conventions have been applied in this document:1.1 Security Functional Requirements – Part 2 of the CC defines the approved set of operations thatmay be applied to functional requirements: iteration, assignment, selection, and refinement.o Iteration: allows a component to be used more than once with varying operations. Inthe ST, iteration is indicated by a parenthetical number placed at the end of thecomponent. For example FDP ACC.1(1) and FDP ACC.1(2) indicate that the ST includestwo iterations of the FDP ACC.1 requirement.o Assignment: allows the specification of an identified parameter. Assignments areindicated using bold and are surrounded by brackets (e.g., [assignment]). Note that anassignment within a selection would be identified in italics and with embedded boldbrackets (e.g., [[selected-assignment]]).o Selection: allows the specification of one or more elements from a list. Selections areindicated using bold italics and are surrounded by brackets (e.g., [selection]).o Refinement: allows the addition of details. Refinements are indicated using bold, foradditions, and strike-through, for deletions (e.g., “ all objects ” or “ some big things ”). Other sections of the ST – Other sections of the ST use bolding to highlight text of specialinterest, such as captions.Security Target ReferenceST Title – Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security TargetST Version – Version 0.5ST Date – 2019/10/165 of 87

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security Target1.2Version: 0.5Date: 2019/10/16TOE ReferenceTOE Identification – Samsung Galaxy Devices on Android 9TOE Developer – Samsung Electronics Co., Ltd.Evaluation Sponsor – Samsung Electronics Co., Ltd.1.3TOE OverviewThe Target of Evaluation (TOE) are the Samsung Galaxy Devices on Android 9.1.4TOE DescriptionThe TOE is a mobile device based on Android 9 with a built-in IPsec VPN client and modifications madeto increase the level of security provided to end users and enterprises. The TOE is intended for use aspart of an enterprise mobility solution providing mobile staff with enterprise connectivity.The TOE includes a Common Criteria mode (or “CC mode”) that an administrator can invoke using anMDM. The TOE must meet the following prerequisites in order for an administrator to transition the TOEto and remain in the CC configuration. Require a boot and device lock password (swipe, PIN, pattern, accessibility (direction), screenlocks are not allowed). Acceptable biometrics vary with the device for the device lock. The maximum password failure retry policy should be less than or equal to 30. A screen lock password required to decrypt data on boot. Revocation checking must be enabled. External storage must be encrypted. Password (non-container) recovery policy and password history must not be enabled. When CC mode has been enabled, the TOE behaves as follows:o The TOE sets the system wide Android CC mode property to be enabled.o The TOE prevents loading of custom firmware/kernels and requires all updates occurthrough FOTA.o The TOE utilizes CAVP approved cryptographic ciphers for TLS.o The TOE ensures FOTA updates utilize 2048-bit PKCS #1 RSA-PSS formatted signatures(with SHA-512 hashing).The TOE includes a containerization capability, Knox Workspace container, which is part of the KnoxPlatform. This container provides a way to segment applications and data into two separate areas on thedevice, such as a personal area and a work area, each with its own separate apps, data and securitypolicies. For this effort, the TOE was evaluated both without and with a Knox Workspace containercreated. Thus, the evaluation includes several Knox-specific claims that apply to a Knox Workspacecontainer when created.There are different models of the TOE, the Samsung Galaxy Devices on Android 9, and these modelsdiffer in their internal components (as described in the table below). All devices are A64 architecture.The model numbers of the mobile devices used during evaluation testing are as follows:6 of 87

Samsung Electronics Co., Ltd. Samsung Galaxy Devices on Android 9(MDFPP31/WLANCEP10/VPNC21) Security TargetDevice NameGalaxy S10eGalaxy S10 Galaxy S9 Galaxy S9 Galaxy Note8Galaxy ualcommSamsungQualcommCPUExynos 9820SM8150Exynos 9810SDM845Exynos 8895MSM8998Version: 0.5Date: 4.14.784.9.594.9.1124.4.1114.4.153Build e 2 - Evaluated DevicesIn addition to the evaluated devices, the following device models are claimed as equivalent with a noteabout the differences between the evaluated device and the equivalent models.Evaluated DeviceCPUEquivalent DevicesGalaxy S10e (Samsung)Exynos 9820Galaxy S10 (Samsung)Galaxy S10 (Samsung)Galaxy S10 5G (Samsung)Galaxy S10 (Qualcomm)SM8150Galaxy S10e (Qualcomm)Galaxy S10 (Qualcomm)Galaxy S10 5G (Qualcomm)Galaxy Fold (Qualcomm)Galaxy S9 (Samsung)Exynos 9810Galaxy S9 (Qualcomm)SDM845Galaxy S9 (Qualcomm)Galaxy Note9 (Qualcomm)Galaxy Note8 (Samsung)Exynos 8895Galaxy S8 (Samsung)Galaxy S8 (Samsung)MSM8998Galaxy S8 (Qualcomm)Galaxy S8 (Qualcomm)Galaxy S8 Active(Qualcomm)Galaxy Tab S4 (All)Galaxy S9 (Samsung)Galaxy Note8 (Qualcomm)Galaxy Note9 (Samsung)Galaxy XCover FieldProDifferences S10 & S10 have ultrasonicfingerprint sensor S10 & S10 have larger screensizes S10 5G has different cellularmodem S10e & Fold has side imagefingerprint sensor S10 & S10e have smaller screensizes S10 5G has different cellularmodem Fold has 2 screens S9 has smaller screen Note9 includes S Pen &functionality to take advantageof it for input (not securityrelated) XCover FieldPro is smaller, hashardened shell, removablebattery, Push-to-Talk button S9 has smaller screen Note9 includes S Pen &functionality to take advantageof it for input (not securityrelated) S8 & S8 do not include S Pen S8 & S8 are smaller S8, S8 & S8 Active do notinclude S Pen S8, S8 & S8 Active are smaller S8 Active has a IP68 & MIL-STD810G certified body Tab S4 (T83x) is tablet formfactor (no voice calling) T835 & T837 tablets have LTE T830 tablets only have Wi-Fi7 of 87