Ärendetyp: 6 Diarienummer: 15FMV10190-35:1

Dokument ID CSEC-37-1072

HEMLIG/
enligt Offentlighets- och sekretesslagen
(2009:400)

2016-10-13

Country of origin: Sweden

Försvarets materielverk

Swedish Certification Body for IT Security

Certification Report Arbit Data Diode 2.0

Issue: 1.0, 2016-okt-13

Authorisation: Dag Ströman, Head of CSEC , CSEC

Template: CSEC_mall_doc, 7.0

Uncontrolled copy when printed

 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

Table of Contents
1  Executive Summary 3 
2  Identification 4 
3  Security Policy 5 
4  Assumptions and Clarification of Scope 6 
4.1  Usage Assumptions 6 
4.2  Environmental Assumptions 6 
4.3  Clarification of Scope 6 
5  Architectural Information 7 
6  Documentation 8 
7  IT Product Testing 9 
7.1  Test Configuration 9 
7.2  Developer Testing 9 
7.3  Evaluator Testing Effort 9 
7.4  Evaluator Penetration Testing 9 
8  Evaluated Configuration 10 
9  Results of the Evaluation 11 
10  Evaluator Comments and Recommendations 13 
11  Glossary 14 
12  Bibliography 15 
Appendix A  Scheme Versions 16 
A.1  Scheme/Quality Management System 16 
A.2  Scheme Notes 16 

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 2 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

1 Executive Summary
The Target of evaluation, TOE, is a one-way data diode for optical information.
The TOE implements the one-way data diode through a repeater, where a fiber optic
network cable is connected to the LOW port and a fiber optic network cable is con-
nected to the HIGH port.
Information can only be received from the LOW network connected on the LOW port,
and no light can spill over to the LOW port from the HIGH port.
Information received on the LOW port is allowed to exit through the HIGH port,
without further processing.
The TOE design is presented solely using modules. The abstraction level of subsys-
tems was not found to be required due to the simple design of the TOE.
The TOE consists of one module, the PCBA module. It represents the populated print-
ed circuit board. The PCBA module has seven interfaces, two of which are TSF inter-
faces.
The TOE is a static hardware-only product, and consists of a printed circuit board.

The evaluation has been performed by atsec information security AB in their premises
in Danderyd, Sweden.
The evaluation was conducted in accordance with the requirements of Common Crite-
ria, version 3.1, release 4, and the Common Methodology for IT Security Evaluation,
version 3.1, release 4.
atsec information security AB is a licensed evaluation facility for Common Criteria
under the Swedish Common Criteria Evaluation and Certification Scheme. atsec in-
formation security AB is is also accredited by the Swedish accreditation body
SWEDAC according to ISO/IEC 17025 for Common Criteria evaluation.
The certifier monitored the activities of the evaluator by reviewing all successive ver-
sions of the evaluation reports. The certifier determined that the evaluation results
confirm the security claims in the Security Target [ST], and have been reached in
agreement with the requirements of the Common Criteria and the Common Methodol-
ogy for evaluation assurance level:
EAL5 + AVA_VAN.5 and ALC_FLR.1

The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other organ-
isation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 3 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

2 Identification
Certification Identification
Certification ID CSEC2015011
Name and version of the Arbit Data Diode 2.0
certified IT product
Security Target Identification Arbit Data Diode Security Target, version 4.0, 2016-
09-05
EAL EAL5 +AVA_VAN.5 and ALC_FLR.1
Sponsor Eurotempest AB, Teknikringen 10, Linköping. Swe-
den
Developer Eurotempest AB, Teknikringen 10, Linköping. Swe-
den
ITSEF atsec information security AB, Svärdvägen 3C, S-
182 33 Danderyd, Sweden
Common Criteria version 3.1 release4
CEM version 3.1 release 4
Certification date 2016-10-13

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 4 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

3 Security Policy
The TOE implements the One-Way information flow control policy (One-Way SFP),
which is defined as:
Subjects:
 LOW port
The input interface of the data diode.
 HIGH port
The output interface of the data diode.
Information:
 An optical signal that can traverse the HIGH or LOW port.
Policy:
 Information is allowed to enter the TOE through the LOW port and may leave
through the HIGH port.
 Information is not allowed to leave the TOE through the LOW port.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 5 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

4 Assumptions and Clarification of Scope

4.1 Usage Assumptions
The Security Target [ST] makes one assumption on the usage of the TOE.
A.INTEGRATOR - The integrator who is performing the installation of the TOE is
well-trained and competent in the prevention of signal leakage, and will properly ad-
here to the TOE guidance.

4.2 Environmental Assumptions

One assumption on the environment is made in the Security Target.
A.PHYSICAL - The TOE and its interfaces will be physically protected from unau-
thorized access and mechanical, electrical, optical, radiation or any other form of
physical influence.

4.3 Clarification of Scope

The Security Target [ST] contains one threat, which have been considered during the
evaluation.
T.DATA_LEAK - TA-LOW and/or TA-HIGH threat agents may be able to cause
HIGHINFO to exit the TOE through the LOW port.

The Security Target [ST] contains one organisational security policies:

P.ONE_WAY_FLOW - The TOE shall allow information to enter through the LOW
port and then leave through the HIGH port.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 6 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

5 Architectural Information
The TOE is a one-way data diode for optical information. It can be the connection
point between a high security and low security network. The actual transmission is
handled by two dedicated servers, with the data diode in between them. The data diode
ensures that information can only flow from the pitcher to the catcher, but not the oth-
er way. This allows for automated information transfer from the low security network
to the high security network without manual intervention, while preventing the oppo-
site ow direction. Another usage scenario is the export of information from a protected
network to a more open environment. The security goal is in this case to allow the ex-
port, while preventing any potential attacks from reaching the protected network.
The TOE implements the one-way data diode by repeating the signal emitted by the
pitcher (part of the LOW network) to the catcher (part of the HIGH network). The op-
tical fiber from the pitcher connects to the LOW port of the TOE. The optical fiber to
the catcher connects to the HIGH port of the TOE. The only allowed information flow
is therefore from the LOW to the HIGH side. The HIGH port has a physical light
emitter. The LOW port has a physical light receiver and has no light emitting capabil-
ity. The TOE implementation is only utilizing the physical property of the LOW port
and is not dependent on any software.
All signal processing in the TOE is performed in hardware at the Physical Medium
Dependent sublayer in Ethernet [IEEE 802.3]. The TOE does not perform any higher
layer signal parsing such as Ethernet frames or TCP/IP processing.
The TOE supports a range of light signals up to 10.3125 Gbps. The specific supported
light range of each TOE is determined during production based on customer require-
ments.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 7 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

6 Documentation
Arbit Data Diode Integrator Guide v2.0 [IGUIDE].

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 8 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

7 IT Product Testing
7.1 Test Configuration
Since the TOE is a static hardware product, no configuration of the TOE is needed
during the testing.

7.2 Developer Testing

7.2.1 Testing Effort
The TOE is a one-way data diode for optical information, which ensures that the in-
formation flow through the data diode is one-way only. It is hardware-only, and con-
sists of a printed circuit board. Due to its simplicity, the TOE is solely described at the
module level. One module is defined, which has seven module interfaces. Two of the
seven interfaces are TSFIs.
The developer devised four test cases to test the TOE. Each test case consists of sever-
al test steps, and each test step contains one specific task to perform, e.g. connecting a
cable between the TOE and the testing equipment. All the tests are manually executed
and do not need any automatic testing scripts.

7.2.2 Results
The developer has provided the results of all test cases that were performed. All tests
were successful.

7.3 Evaluator Testing Effort

7.3.1 Testing Effort
Since the TOE is fairly simple and its functionality is straightforward, the developer
devised four test cases to test every instance of the TOE. Therefore, the evaluator de-
cided to re-run all the four developer tests instead of using a sampling strategy.
Furthermore, the evaluator supplemented the developer testing strategy by adding new
tests in order to provide better coverage and depth in the TOE testing. Four evaluator
tests were added.

7.3.2 Results
The re-run of the developer tests was performed by the evaluator successfully. All
evaluator tests were performed successfully - expected and actual results were con-
sistent.

7.4 Evaluator Penetration Testing

In order to identify potential vulnerabilities in the TOE, the evaluator performed an
independent methodical analysis and a search of public domain sources. The vulnera-
bility analysis did not reveal any potential vulnerability in the TOE. The evaluator also
concluded that the tests already performed were sufficient and no further penetration
testing was required

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 9 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

8 Evaluated Configuration
The TOE is a static hardware product, and consists of a printed circuit board. No con-
figuration is needed or possible.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 10 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

9 Results of the Evaluation

The evaluators applied each work unit of the Common Methodology [CEM] within
the scope of the evaluation, and concluded that the TOE meets the security objectives
stated in the Security Target [ST] for an attack potential of Enhanced-Basic.
The certifier reviewed the work of the evaluator and determined that the evaluation
was conducted in accordance with the Common Criteria [CC].
The evaluators overall verdict is PASS.
The verdicts for the respective assurance classes and components are summarised in
the following table:
Assurance Class / Family Short name Verdict
Development ADV PASS
Security architecture description ADV_ARC.1 PASS
Complete semi-formal functional spec- ADV_FSP.5 PASS
ification with additional error infor-
mation
Implementation representation of the ADV_IMP.1 PASS
TSF
Well-structured internals ADV_INT.2 PASS
Semiformal modular design ADV_TDS.4 PASS
Guidance documents AGD PASS
Operational user guidance AGD_OPE.1 PASS
Preparative procedures AGD_PRE.1 PASS
Life-cycle support ALC PASS
Production support, acceptance proce- ALC_CMC.4 PASS
dures and automation
Development tools CM coverage ALC_CMS.5 PASS
Delivery procedures ALC_DEL.1 PASS
Identification of security measures ALC_DVS.1 PASS
Basic flaw remediation ALC_FLR.1 PASS
Developer defined life-cycle model ALC_LCD.1 PASS
Compliance with implementation ALC_TAT.2 PASS
standards
Security Target evaluation ASE PASS
ST introduction ASE_INT.1 PASS
Conformance claims ASE_CCL.1 PASS
Security problem definition ASE_SPD.1 PASS
Security objectives ASE_OBJ.2 PASS
Extended components definition ASE_ECD.1 PASS
Derived security requirements ASE_REQ.2 PASS
TOE summary specification ASE_TSS.1 PASS
Tests ATE PASS

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 11 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

Analysis of coverage ATE_COV.2 PASS

Testing: modular design ATE_DPT.3 PASS
Functional testing ATE_FUN.1 PASS
Independent testing - sample ATE_IND.2 PASS
Vulnerability assessment AVA PASS
Methodical vulnerability analysis AVA_VAN.5 PASS

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 12 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

10 Evaluator Comments and Recommendations

The evaluators do not have any comments or recommendations concerning the prod-
uct or using the product.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 13 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

11 Glossary
CEM Common Methodology for Information Technology Security,
document describing the methodology used in Common Cri-
teria evaluations
ITSEF IT Security Evaluation Facility, test laboratory licensed to
operate within a evaluation and certification scheme
ST Security Target, document containing security requirements
and specifications , used as the basis of a TOE evaluation
TOE Target of Evaluation
Catcher The entity receiving information from the data diode. It re-
sides on the HIGH network.
Data diode A device that allows information to flow from the input to the
output, but not the other way.
HIGH network The network which is to receive information from the LOW
network, through the TOE.
HIGH port The output interface of the data diode. HIGH devices and
networks are connected to this interface.
HIGH system Any system residing on the HIGH network, excluding the
TOE.
Information An optical signal that can traverse the HIGH or LOW port.
LOW network The network from which information is to be sent to the
HIGH network, through the TOE.
LOW port The input interface of the data diode. LOW devices and net-
works are connected to this interface.
LOW system Any system residing on the LOW network, excluding the
TOE.
Pitcher The entity sending information to the data diode. It resides on
the LOW network.
Port The physical interface by which the optical cables are con-
nected to the TOE.

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 14 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

12 Bibliography
[ST] Arbit Data Diode Security Target, version 4.0, 2016-09-05
[IGUIDE] Arbit Data Diode Integrator Guide, version 2.0, 2016-09-05
[IEEE 802.3] IEEE Standard for Ethernet
http://standards.ieee.org/about/get/802/802.3.html
[CCp1] Common Criteria for Information Technology Security Evaluation,
Part 1: Introduction and general model, version 3.1, revision 4, Sep-
tember 2012, CCMB-2012-09-001
[CCp2] Common Criteria for Information Technology Security Evaluation,
Part 2: Security functional components, version 3.1, revision 4, Sep-
tember 2012, CCMB-2012-09-002
[CCp3] Common Criteria for Information Technology Security Evaluation,
Part 3: Security Assurance Components, version 3.1, revision 4,
September 2012, CCMB-2012-09-003
[CEM] Common Methodology for Information Technology Security Evalu-
ation, Evaluation methodology, version 3.1, revision 4, September
2012, CCMB-2012-09-004

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 15 (16)
 Swedish Certification Body for IT Security
Certification Report Arbit Data Diode 2.0

Appendix A Scheme Versions

During the certification the following versions of the Swedish Common Criteria Eval-
uation and Certification scheme has been used.

A.1 Scheme/Quality Management System

Version Introduced Impact of changes
1.19.3 2016-06-02 No impact
1.19.2 2016-04-28 No impact
1.19.1 2016-03-07 No impact
1.19 2016-02-05 No impact
1.18.1 Application Original version

A.2 Scheme Notes

Version Introduced Impact of changes
4.0 Application Original version

15FMV10190-35:1 1.0 2016-10-13

CSEC-37-1072 16 (16)