Common Criteria Protection Profile. Strong Privacy Protection Mechanisms for the Survey System
|
|
- Helen Charles
- 7 years ago
- Views:
Transcription
1 Common Criteria Protection Profile Strong Privacy Protection Mechanisms for the Survey System working draft, version: 1.0 Anna Lauks-Dutka Wroc law,
2 Contents 1 PP Introduction The Target of Evaluation Overview TOE type TOE usage and major security features Required non-toe hardware/software/firmware Conformance Claims CC Conformance Claim PP Claim Package Claim Conformance Statement TOE description TOE description TOE description - physical scope TOE description - logical scope Security Problem Definition Assets Roles/Subjects Assumptions Threads Organizational Security Policies Security Objectives Security Objectives for the TOE Security Objectives for the Operational Environment Security Objective Rationale Extended Component Definition Definition of the Family FCS RNG Security Requirements Security Functional Requirements Class FCS: Cryptographic support Class FDP: User Data Protection Class FPR: Privacy Class FPT: Protection of the TSF Security Requirements Rationale
3 7.2.1 Security Functional Requirements Rationale Security Assurance Requirements
4 Chapter 1 PP Introduction 1.1 The Target of Evaluation Overview TOE type The Target of Evaluation (TOE) is a set of cryptographic algorithms dedicated for the survey system that preserves strong privacy of users filling the questionnaires stored in the system. Cryptographic security functions of TOE protect the integrity of questionnaires, ensure the authenticity of stored data and unlinkability of users that fill particular questionnaires TOE usage and major security features The TOE needs the following input data: questionnaires, for each questionnaire a set of public keys of users that are rightful to fill it. From a technical point of view the system that implements the algorithms of TOE should be integrated with some other existing system that operates the same set of users and is among others responsible for: user s public key registration, public key management, deciding which questionnaires a particular user is rightful to upload. The basic security features provided by TOE are: 1. Only authorized users can upload a valid questionnaires. 2. Integrity and authenticity of the questionnaire is preserved due to the signature of the questionnaire created by the user who fill it. 3. Verification of the signature is possible using pseudonyms. 4. Pseudonyms are generated in cooperation with two special Certification Authorities - CA1 and CA2. 3
5 5. The questionnaires are singed in such a way that the anonymity of the user is preserved i.e. that having a signed questionnaire, there is no possibility of connecting the personal data of a particular user with the pseudonym used for signing until CA1 cooperates with CA2. 6. The user does not have to remember or store any of his pseudonyms. 7. In order to sign in anonymous way user needs only to have one private, public key pair and get some public data related to a particular questionnaire computed by CA1 and CA2. 8. One authorized user can upload a questionnaire many times. Each time using the same pseudonym. 9. One authorized user can upload different questionnaires, using different pseudonyms in such a way that the linkability of his pseudonyms is not possible until CA1 cooperates with CA In case of dispute, when both Certification Authorities cooperates they may perform the deanonymization procedure Required non-toe hardware/software/firmware A part of the TOE that supports users in creating an anonymous signature of a given message is intended to be implemented as a stand alone application and used as an IT product on a user personal computer. The secure private, public key pair generation and preserving the physical security of the secret key of the user is out of the scope of the TOE. The IT-environment should support protection of the application and the private key used by it during the signature creation against unauthorized usage and modification by suitable protection mechanisms. A part of the TOE that supports pseudonyms generation needs to be implemented in the IT-environment that supports physical protection of the private values used by it against unauthorized usage and modification. Moreover it is assumed that these components as well as a web-server that implements algorithms for the signed questionnaires verification should be located within controlled access facilities which will prevent unauthorized physical access. 4
6 Chapter 2 Conformance Claims 2.1 CC Conformance Claim This protection profile claims conformance to: Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model; CCMB , Version 3.1, Revision 3, July 2009 [1] Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Components; CCMB , Version 3.1, Revision 3, July 2009 [2] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements; CCMB , Version 3.1, Revision 3, July 2009 [3] as follows Part 2 conformant Part 3 conformant 2.2 PP Claim This PP does not claim conformance with any other PP. 2.3 Package Claim The current PP does not claim conformance with any security requirements package. 2.4 Conformance Statement This PP requires strict conformance of any ST or PP claiming to this PP. 5
7 Chapter 3 TOE description 3.1 TOE description This section discusses the physical and logical scope of the TOE in detail. 3.2 TOE description - physical scope The Target Of Evaluation is composed of multiple algorithms and procedures dedicated for the survey system that support strong privacy protection of users that fill the questionnaires. It allows authorized users to upload questionnaires signed in anonymous way. As an authorized user we mean a registered user of the system, that is rightful to upload a particular questionnaire. TOE is distributed product which consists internally of the following separates parts: application for users, two independent Certification Authorities - CA1 and CA2, survey server. The application for users supports users in creating an anonymous signature of a given message. The private and public key pair for questionnaire signing is generated for each user (on PC, smart card etc.) according to delivered algorithm. The secure key pair generation and preserving the physical security of the secret key of the user is outside of the scope of the TOE. Moreover, it is assumed that outside of the scope of the TOE is deciding who and which questionnaire is rightful to fill. Thus the following data are the input of the TOE: questionnaires, for each questionnaire a set of public keys of users that are rightful to fill it. To get these data TOE cooperates or is partially integrated with another existing system - S1, which operates the same set of users and is among others responsible for: 6
8 user s public key registration, public key management, deciding which questionnaires a particular user is rightful to upload. It is important to ensure totally (physical and administrative) independence of the component that implements algorithms of the first Certification Authority - CA1 from the component that implements algorithms for the second Certification Authority - CA2. However ensuring independence of these parties (including independence staff administration) is out of the scope of the TOE. The first Certification Authority is responsible for the first step in the anonymization process. It performs some computation on the subset of public keys of legitimate users and transmits output to the second Certification Authority. The second independent Certification Authority also performs some computation in order to compute final list of pseudonyms of legitimate users rightful to upload a particular questionnaire. Preserving the physical security of the private values stored by the real components that implement CA1 and CA2 against unauthorized usage and modification is out of the scope of the TOE. The final list of pseudonyms of legitimate users rightful to upload a particular questionnaire list is then transmitted to the survey server. From the survey server legitimate users can download a particular questionnaire together with additional parameters necessary for signing a questionnaire in anonymous way. The signed questionnaire can be afterwards by the user uploaded to the server. The survey server checks the validity of the signature and informs the user about the result of the verification. CA1 and CA2 as well as a surveys server that implements algorithms for the signed questionnaires verification should be located within controlled access facilities which will prevent unauthorized physical access. Moreover, it is assumed that finally, if the verification of the signature is correct, the signed questionnaires are stored at the surveys database. Preserving the physical security of this database is also out of the scope of the TOE. The physical scope and the physical boundary of the overall solution is presented on the figure TOE description - logical scope For the user TOE allows to: generate a private, public key pair, sign a questionnaire downloaded from the survey server in anonymous way, upload a valid questionnaire to the survey server if the user is rightful to do that. For the CA1 the TOE allows to: generate lists of anonymized public keys (pseudonyms) for a particular questionnaire (having the public keys of the legitimate users), check the integrity of the final list of pseudonyms, 7
9 S1 CA1 CA2 Survey-server User's API Surveydatabase TOE User Figure 3.1: Illustration of the TOE boundaries. deanonymize questionnaires of users stored by the survey server in cooperation with CA2. For the CA2 the TOE allows to: perform the second phase of the anonymization of pseudonyms for a particular questionnaire, check the integrity of the final list of pseudonyms, prove the survey server that it performed computation on the lists of pseudonyms for a particular questionnaires properly, deanonymize questionnaires of users in cooperation with CA1. For the survey server TOE allows to: check if lists of anonymized public keys (pseudonyms) for a particular questionnaires were anonymized by CA2 properly, check if the questionnaires were uploaded by the legitimate users. The main security feature provided by TOE is to ensure strong and verifiable integrity and authenticity of the questionnaires stored by the survey server achieving the anonymity of users that filled them at the same time. This goal is achieved by: signing the questionnaires by the user who filled them, verifying the signatures of the questionnaires, two-step anonymization of the public key used for signature verification, 8
10 co-verification of the anonymization performed by CA1 and CA2. Two components of the TOE - CA1 and survey server can be integrated with external system S1 who controls privileges of users. To achieve full anonymity of signed questionnaires the TOE uses second Certification Authority CA2 (independent of CA1). The TOE ensures also that this second Certification Authority behaves properly with high probability. The anonymity of signed questionnaires denotes that: 1. Having a signed questionnaire, there is no possibility of connecting the personal data of a particular user with the pseudonym used for signing until CA1 cooperates with CA2. 2. One authorized user can upload different questionnaires, using different pseudonyms in such a way that the linkability of his pseudonyms is not possible until CA1 cooperates with CA2. However in case of dispute, when both Certification Authorities cooperates they may perform controlled the deanonymization procedure and find out the public key of the user that corresponds to the pseudonym used for signing. From the user s application point of view important security features are: the user does not have to remember or store any of his pseudonyms, in order to sign in anonymous way user needs only to have one private, public key pair and get some public data related to a particular questionnaire computed by CA1 and CA2. 9
11 Chapter 4 Security Problem Definition The following chapter describes the threats, organizational policies and assumptions for the TOE addressed within this protection profile. 4.1 Assets The TOE shall protect the following IT assets: 1. Users private key User s private key used for signing. Protection goal: confidentiality. 2. Users main identity User s main public key that corresponds with the private signing key. Protection goal: unlinkability of main identity and each pseudonym of the same user. 3. Pseudonyms Pseudonym i.e. anonymized public key of the user. Protection goal: integrity and unlinkability of all pseudonyms of the same user. 4. Certification Authorities Private Values Certification Authorities Private Values i.e. the values generated by the Certification Authorities CA1 and CA2 for the anonymization/deanonymization process. Protection goal: confidentiality and integrity. 5. List of pseudonyms List of anonymized public keys of legitimate users stored together with questionnaires in order to determine if the surveys were uploaded by the rightful users. Protection goal: authenticity and integrity. 10
12 4.2 Roles/Subjects This PP considers the following subjects: 1. First Certification Authority - CA1 CA1 is one of the two certification authorities, which participates in the anonymization process. It gets the list of public keys connected with a particular questionnaire from the trusted source, perform some computation and sends the output to CA2. 2. Second Certification Authority - CA2 CA2 is the second certification authority, which participates in the anonymization process. It gets the list of pseudonyms from CA1, perform some computation and sends the output to the survey server. 3. Survey Server A web-server that allows users to fill and upload the questionnaires. The server is also responsible for checking if the list of pseudonyms it gets for a particular questionnaire from CA2 was created properly. 4. Legitimate User The holder of a private key related to a public key of registered user that is rightful to upload a questionnaire. 4.3 Assumptions This section describes the security aspects of the intended environment for the evaluated TOE. The operational environment must be managed in accordance with assurance requirement documentation for delivery, operation, and user guidance. The following specific conditions are required to ensure the security of the TOE and are as assumed to exist in an environment where this TOE is employed. A.PHYSICAL Components CA1 and CA2 and survey server will be located within controlled access facilities which will prevent unauthorized physical access. A.USER Legitimate users are trustworthy. They generate private-public key pair according to the delivered guidance and store the private signing key in a secure manner. A.PLATFORM The TOE is installed on a personal computer supervised by the legitimate user. It is assumed that those resources the TOE is relying on can not be manipulated without user notification. The legitimate user is supposed to protect the underlying platform against logical attacks by Malware. 11
13 A.INPUT For a particular questionnaire the TOE shall be given (from the trusted source) a proper input, i.e. the list of the public keys of users who are rightful to upload a signed questionnaire. 4.4 Threads This section describes the threads to be averted by the TOE independently or in collaboration with its IT environment. These threads result from the TOE method of the use in operational environment and the assets stored in or protected by the TOE. The following threads are applicable: T.UNUSER The attacker may attempt to upload a questionnaire as an unauthorized user (whose pseudonym is not in the list of pseudonyms) for this questionnaire. Security goal: to detect and block of uploading a questionnaire by an unauthorized user. T.FAKEDID The attacker may try to create a faked identity (for a user who is not rightful to fill, sign and upload a particular questionnaire) and influence on the white list (list of pseudonyms) for a particular questionnaire in such a way that the signature uploaded using this faked user will be valid. In this kind of threats the attacker may even control CA2 (but not CA1 - this one is assume to be trusted in this context) Security goal: integrity of white lists on which operation performs CA2. T.FORGE On the basis of any set of pseudonyms and signed questionnaires, the attacker may attempt to upload a valid questionnaire on behalf of a legitimate user. Security goal: confidentiality of the user s secret key. T.LINK The Attacker on the basis of any set of pseudonyms and signed questionnaires may attempt to link two questionnaires uploaded and signed by the same user i.e. to be able to guess that two pseudonyms refer to the same public key. This kind of attack may be performed even by someone who controls CA1 or CA2 (but not both of them). Security goal: unlinkability of the pseudonyms used by the same user. 12
14 T.DEANONYM The attacker may attempt to deanonymize a signed questionnaire i.e. to link a pseudonym with the main identity of a user (a public key of the particular user). This kind of attack may be performed even by someone who controls CA1 or CA2. It is assumed that TOE allows to perform controlled deanonymization process of a particular signed questionnaire only if CA1 and CA2 collaborate. Security goal: unlinkability of the public key and pseudonyms used by the same user. T.BREAKCA1 The Attacker on the basis of any set of outputs of the anonymization procedure performed by the CA1 and CA2 may attempt to get the private values that CA1 is using during the anonymization procedure in order to compromise it. This kind of attack may be performed even by someone who controls CA2. Security goal: confidentiality of the CA1 private values. T.BREAKCA2 The Attacker on the basis of any set of outputs of the anonymization procedure performed by the CA1 and CA2 may attempt to get the private values that CA2 is using during the anonymization procedure in order to compromise it. This kind of attack may be performed even by someone who controls CA1. Security goal: confidentiality of the CA2 private values. T.CAEXCLUDE The Attacker may attempt to exclude one or both Certification Authorities from the anonymization process. Security goal: authenticity and integrity of the list of pseudonyms 4.5 Organizational Security Policies There are no Organizational Security Policies. 13
15 Chapter 5 Security Objectives This chapter describes the security objectives for the TOE and the security objectives for the TOE environment. 5.1 Security Objectives for the TOE This section describes the security objectives for the TOE. They address the aspects of the threads identified in the previous chapter. OT.SIGN The TOE shall provide methods for a secure signing questionnaires by the legitimate users. The signature should ensure that the signature is created only by the owner of an appropriate private key but the signature itself should not reveal the main identity of the user. It should enable to cerate signature using not only private key but also some additional input values that enable to verify the signature using not the public key of the user but the anonymized public key (pseudonym). OT.SIGCHECK The TOE shall verify the signatures of the questionnaires in order to check if questionnaires were uploaded only by the legitimate users. It should block adding a signed questionnaire if verification of the signature fails. The verification of the signature should not reveal the main identity of the user. The TOE should ensure the verification of the signature to be performed using the anonymized public key. OT.UNLINKINOUT The TOE shall ensure unlinkability of inputs and outputs of CA1 as well as CA2. 14
16 OT.UNLINKPSEUDO The TOE shall ensure that if CA1 gets the same public key in two different inputs or CA2 gets the same anonymized public key in two different inputs the outputs computed on these inputs are unlikable. OT.CAPRIV The TOE shall ensure the confidentiality of the private values used by the CA1 and CA2. OT.CA2VERIFY The TOE shall ensure verifiability of the anonymization procedures performed by CA2.The verifiability procedure should with high probability ensure that the output generated by the CA2 corresponds to a proper input. OT.LISTINTEGRITY The TOE shall ensure integrity and authenticity of the lists of pseudonyms for a particular questionnaire at each step of processing. 5.2 Security Objectives for the Operational Environment This section describes the security objectives for the TOE s operational environment. OE.PHYSICAL Components CA1 and CA2 will be located within controlled access facilities which will prevent unauthorized physical access. OE.USER Legitimate users are trustworthy. They generate private-public key pair according to the delivered guidance and store the private signing key in a secure manner. OE.PLATFORM Part of the TOE responsible form signature creation is installed on a personal computer supervised by the legitimate user. It is assumed that those resources the TOE is relying on can not be manipulated without user notification. The legitimate user is supposed to protect the underlying platform against logical attacks by Malware. 15
17 OT.SIGN OT.SIGCHECK OT.UNLINKINOUT OT.UNLINKPSEUDO OT.CAPRIV OT.CA2VERIFY OT.LISTINTEGRITY OE.PHYSICAL OE.USER OE.PLATFORM OE.INPUT T.UNUSER X T.FAKEDID X T.FORGE X X X T.DEANONYM X X X X T.LINK X X T.BREAKCA1 X T.BREAKCA2 X T.CAEXCLUDE X A.PHYSICAL X A.USER X A.PLATFORM X A.INPUT X Table 5.1: Security Objective Rationale OE.INPUT For a particular questionnaire the TOE shall be given (from the trusted source) a proper input, i.e. the list of the public keys of users who are rightful to upload a signed questionnaire. 5.3 Security Objective Rationale The table 5.1 provides an overview for security objectives coverage. The threat T.UNUSER is directly addressed by the objective OT.SIGCHECK requiring the TOE to verify the signatures of the questionnaires in order to check if questionnaires were uploaded by the user, whose pseudonym is on a proper white list and block adding a signed questionnaire if verification of the signature fails. The threat T.FAKEDID is directly addressed by the objective OT.CA2VERIFY requiring the TOE to ensure verifiability of the anonymization procedures performed by CA2. The verifiability procedure should with high probability ensure that the output generated by the CA2 corresponds to a proper input. Thus the integrity of a particular list of pseudonyms while processing by CA2 is preserved. The threat T.FORGE is addressed by the objective OT.SIGN and and the objectives for the environment OE.USER and OE.PLATFORM. The objective OT.SIGN requires the TOE to implement methods for a secure signing of questionnaires. The signature scheme used should ensure that the signature 16
18 is created only by the owner of an appropriate private key. On the other hand OE.USER and OE.PLATFORM require the legitimate user to keep the private signing key in a secure manner and to protect the underlying platform against logical attacks by Malware. The threat T.DEANONYM is addressed by the objectives OT.SIGN, OT.SIGCHECK, OT.UNLINKINOUT and OT.CAPRIV. The objective OT.SIGN requires the TOE to implement methods for a secure signing of questionnaires in such a way that the signature itself should not reveal the main identity of the user. The objective OT.SIGCHECK requires the TOE to use signature scheme for which the verification procedure does not reveal the main identity of the user (by performing the verification of the signature using the anonymized public key). The objective OT.UNLINKINOUT requires the TOE to ensure unlinkability of all inputs and outputs of CA1 and CA2. Thus, if CA1 is honest, even CA2 is not able to link any public key with any final pseudonym. If CA2 is honest, even CA1 is not able to link any public key with any final pseudonym. Finally the objective OT.CAPRIV requires the TOE to ensure confidentiality of the private values used by the CA1 and CA2 that are necessary for performing the controlled deanonymization procedure. The threat T.LINK is addressed by the objectives OT.UNLINKPSEUDO and OT.CAPRIV The objective OT.UNLINKPSEUDO requires the TOE to ensure that if CA1 gets the same public key in two different inputs or CA2 gets the same anonymized public key in two different inputs the outputs computed on these inputs are unlikable. Thus, if CA1 is honest, even CA2 is not able to link any public key with any final pseudonym. If CA2 is honest, even CA1 is not able to link the any public key with any final pseudonym. Finally the objective OT.CAPRIV requires the TOE to ensure confidentiality of the private values used by the CA1 and CA2 that are necessary for performing the controlled deanonymization procedure. The threat T.BREAKCA1 is addressed directly by the objectives OT.CAPRIV requiring the TOE to ensure confidentiality of the private values used by the CA1. The threat T.BREAKCA2 is addressed directly by the objectives OT.CAPRIV requiring the TOE to ensure confidentiality of the private values used by the CA2. The threat T.CAEXCLUDE is addressed directly by the objective OT.LISTINTEGRITY requiring the TOE to ensure integrity and authenticity of the list of pseudonyms at each step of processing. The assumption A.PHYSICAL is addressed directly by the objective for the environment OE.PHYSICAL requiring of locating the components CA1 and CA2 within controlled access facilities which will prevent unauthorized physical access. The assumption A.USER is addressed directly by the objective for the environment OE.USER claiming that the legitimate users are trustworthy and that they generate private-public key pair according to the delivered guidance and store the private signing key in a secure manner. The assumption A.PLATFORM is addressed directly by the objective for the environment OE.PLATFORM claiming that legitimate user is supposed to protect the underlying platform against logical attacks by Malware. 17
19 Chapter 6 Extended Component Definition 6.1 Definition of the Family FCS RNG This section describes the functional requirements for the generation of random number used as a secret for cryptographic operations. The IT security functional requirements for a TOE are defined in an additional family (FCS RNG) of the class FCS (Cryptographic support). The family Random number generation (FCS RNG) is specified as follows: FCS RNG Random number generation Family behaviour The family defines quality requirements for the generation of random numbers, which are intended to be used as secrets for cryptographic operations. Component leveling FCS RNG: Random number generation 1 FCS RNG.1 Generation of random numbers requires that the random number generator implements defined security capabilities and the random numbers meet a defined quality metrics. Management: FCS RNG.1 There are no management activities foreseen. Audit: FCS RNG.1 There are no auditable events foreseen. 18
20 FCS RNG.1 Random number generation Hierarchical to: Dependencies: No other components. No dependencies. FCS RNG.1.1 FCS RNG.1.2 The TSF shall provide a [selection: non-physical true, deterministic, physical hybrid, deterministic hybrid] random number generator, which implements: [assignment: list of security capabilities]. The TSF shall provide random numbers that meet [assignment: defined quality metrics]. 19
21 Chapter 7 Security Requirements 7.1 Security Functional Requirements Class FCS: Cryptographic support The TOE shall meet the requirements from class FCS Cryptographic support as specified below FCS CKM FCS CKM.1 Cryptographic Key Generation The TOE shall meet requirement Cryptographic key generation (FCS CKM.1) as specified below (CC Part 2). The iterations are caused by different cryptographic keys to be generated by the TOE. Hierarchical to: Dependencies: No other components. [FCS CKM.2 Cryptographic key distribution, or FCS COP.1 Cryptographic operation] FCS CKM.4 Cryptographic key destruction FCS CKM.1/CA1 Cryptographic key generation - CA1 FCS CKM.1.1/CA1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes of at least 256 bit that meet the following: [assignment: list of standards]. Application Note 1 This SFR requires the TOE to generate the key used as an entropy input for the random number generator utilized by CA1 FCS CKM.1/CA2 Cryptographic key generation - CA2 20
22 FCS CKM.1.1/CA2 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [assignment: cryptographic key generation algorithm] and specified cryptographic key sizes of at least 256 bit that meet the following: [assignment: list of standards]. Application Note 2 This SFR requires the TOE to generate the key used as an entropy input for the random number generator utilized by CA2 FCS CKM.1/SIG Cryptographic key generation - Signature FCS CKM.1.1/SIG The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm DSA, ECDSA and specified cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [4] Application Note 3 This SFR requires the TOE to generate the private, public key pair for DSA or ECDSA used for questionnaires signing FCS COP FCS COP.1 Cryptographic Operation The TOE shall meet requirement Cryptographic operation (FCS COP.1) as specified below (CC Part 2). The iterations are caused by different cryptographic algorithms to be implemented by the TOE. Hierarchical to: Dependencies: No other components. [FDP ITC.1 Import of user data without security attributes, or FDP ITC.2 Import of user data wit security attributes, or FCS CKM.1 Cryptographic key generation] FCS CKM.4 Cryptographic key destruction FCS COP.1/SIG Cryptographic operation - Signature creation FCS COP.1.1/SIG The TSF shall perform digital signature creation in accordance with a specified cryptographic algorithm DSA, ECDSA [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. Application Note 4 This SFR requires the TOE to create the signature of questionnaires according to DSA or ECDSA algorithm. 21
23 FCS COP.1/VER Cryptographic operation-signature verification FCS COP.1.1/VER The TSF shall perform digital signature verification in accordance with a specified cryptographic algorithm DSA, ECDSA [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. Application Note 5 This SFR requires the TOE to verify the signature of questionnaires according to DSA or ECDSA algorithm. FCS COP.1.1/PKA FCS COP.1/PKA Cryptographic operation-public key anonymization The TSF shall perform the anonymization of the public key in accordance with a specified cryptographic algorithm [assignment: cryptographic algorithm] and cryptographic key sizes [assignment: cryptographic key sizes] that meet the following: [assignment: list of standards]. Application Note 6 The ST writer shall perform the missing cryptographic algorithm in the element FCS COP.1.1/PKA FCS RNG FCS RNG.1 Random number generation The TOE shall meet requirement Random number generation (FCS RNG.1) as specified below (CC Part 2 extended, cf. sec. 6.1). The iterations are caused by different cryptographic random values to be generated by the TOE. Hierarchical to: Dependencies: No other components. No dependencies. FCS RNG.1/CA1 Random number generation - random number generator - CA1 FCS RNG.1.1/CA1 The TSF shall provide a deterministic random number generator, which implements: capabilities of the user to specify a personalization string for initialization Application Note 7 This SFR requires the TOE to generate random numbers used by CA1 for the anonymization of the public key operation. 22
24 FCS RNG.1/CA2 Random number generation - random number generator - CA2 FCS RNG.1.1/CA2 The TSF shall provide a deterministic random number generator, which implements: NIST SP A [5] Application Note 8 This SFR requires the TOE to generate random numbers used by CA2 for the anonymization of the public key operation Class FDP: User Data Protection The TOE shall meet the requirements from class FDP User data protection as specified below FDP DAU FDP DAU.1 Basic Data Authentication Hierarchical to: Dependencies: No other components. No dependencies. FDP DAU.1.1 The TSF shall provide a capability to generate evidence that can be used as guarantee of the validity of stored questionnaires Class FPR: Privacy The TOE shall meet the requirements from class FPR Privacy as specified below FPR PSE FPR PSE.1 Pseudonymity The TOE shall meet requirement Pseudonymity (FPR PSE.1) as specified below (CC Part 2). Hierarchical to: No other components. Dependencies: No dependencies. FPR PSE.1.1 The TSF shall ensure that any user and CA1 and CA2 and survey server and any external observer of the TSF are unable to determine the real user name bound to the signature creation operation and the signature verification operation. 23
25 FPR UNL FPR UNL.1 Unlinkability The TOE shall meet requirement Unlinkability (FPR UNL.1) as specified below (CC Part 2). The iterations are caused by unlinkability of different cryptographic primitives generated by the TOE. Hierarchical to: No other components. Dependencies: No dependencies. FPR UNL.1/CA1 Unlinkability - input and output of CA1 FPR UNL.1.1/CA1 The TSF shall ensure that any subjects but CA1 are unable to determine whether particular input of CA1 is related to a particular output of CA1. FPR UNL.1/CA2 Unlinkability - input and output of CA2 FPR UNL.1.1/CA2 The TSF shall ensure that any subjects but CA2 are unable to determine wheter particular input of CA2 is related to a particular output of CA2. FPR UNL.1/PSE Unlinkability - pseudonyms of the same user FPR UNL.1.1/PSE The TSF shall ensure that CA1 and CA2 and survey server are unable to determine wheter two different pseudonyms generated are related as follows: they refer to the same user Class FPT: Protection of the TSF The TOE shall meet the requirements from class FPT Protection of the TSF as specified below FPT TST FPT TST.1 TSF selftest The TOE shall meet requirement TSF selftest (FPT TST.1) as specified below (CC Part 2). Hierarchical to: No other components. Dependencies: No dependencies. 24
26 OT.SIGN OT.SIGCHECK OT.UNLINKINOUT OT.UNLINKPSEUDO OT.CAPRIV OT.CA2VERIFY OT.LISTINTEGRITY FCS CKM.1/CA1 X X FCS CKM.1/CA2 X X FCS CKM.1/SIG FCS COP.1/SIG X FCS COP.1/VER X FCS COP.1/PKA X X X FCS RNG.1/CA1 X X X FCS RNG.1/CA2 X X X FDP DAU.1 X FPR PSE.1 X X FPR UNL.1/CA1 X FPR UNL.1/CA2 X FPR UNL.1/PSE X FPT TST.1 X X Table 7.1: Coverage of Security Objective for the TOE by SFR FPT TST.1.1 FPT TST.1.2 The TSF shall run a suite of self tests periodically during normal operation to demonstrate the correct operation of the CA2. The TSF shall shall provide authorized users with the capability to verify the integrity of the lists of generated psedunyms. 7.2 Security Requirements Rationale Security Functional Requirements Rationale The table 7.1 provides an overview for security requirements coverage The security objective OT.SIGN is provided by the following SFRs: - FCS COP.1/SIG requires DSA or ECDSA signature creation algorithm to be used in order to sign questionnaires, - FCS COP.1/PKA requires the public key anonymization algorithm to be used, - FPR PSE.1 ensures that the signature is created in such a way that any observer is unable to determine the public key of the signer, 25
27 - FDP DAU.1 requires capability to generate evidence that can be used as guarantee of the validity of stored questionnaires. The security objective OT.SIGCHECK is provided by the following SFRs: - FCS COP.1/VER requires DSA or ECDSA signature verification algorithm to be used in order to verify signed questionnaires and - FPR PSE.1 ensures that any observer is unable to determine the real user name bound to the signature verification operation, The security objective OT.UNLINKINOUT is directly enforced by FPR UNL.1/CA1 and FPR UNL.1/CA2. They enforce that any subjects but CA1 and CA2 respectively are unable to determine wheter particular input this part is related to a particular output. Moreover, using the random values generated in accordance to the FCS RNG.1/CA1 and FCS RNG.1/CA2 is required. Each random number generator is deterministic and uses secret key of CA1 and CA2 respectively generated in accordance to FCS CKM.1/CA1 and FCS CKM.1/CA2 respectively. The security objective OT.UNLINKPSEUDO is directly enforced by FPR UNL.1/PSE which ensures that any subject is unable to determine wheter two different pseudonyms generated refers to the same user. Moreover, using the random values generated in accordance to the FCS RNG.1/CA1 and FCS RNG.1/CA2 requires the random number generator to be deterministic and implement capability to specify a personalization string for initialization. Different personalization string for initialization should be used for different pseudonyms of the same user. The security objective OT.CAPRIV is provided by using the key generated in accordance to FCS CKM.1/CA1 and FCS CKM.1/CA2 only for generation of random private values in accordance to FCS RNG.1/CA1 and FCS RNG.1/CA2. The random private values are used according to FCS COP.1/PKA. The security objective OT.CA2VERIFY is directly enforced by FPT TST.1 that requires periodically during normal operation to run a suite of self tests to check the correct operation of the CA2. The security objective OT.LISTINTEGRITY is enforced by FPT TST.1 that requires authorized users with the capability to verify the integrity of the lists of generated psedunyms according to FCS COP.1/PKA. 7.3 Security Assurance Requirements Developement activities (class ADV): ADV ARC.1 Security architecture description ADV FSP.4 Functional specification ADV IMP.2 Implementation representation ADV TDS.3 TOE design Guidance documents activities (class AGD): AGD OPE.1 Operational user guidance 26
28 AGD PRE.1 Preparative procedures Security Target evaluation (class ASE): ASE CCL.1 Conformance claims ASE ECD.1 Extended components definition ASE INT.1 ST introduction ASE OBJ.2 Security objectives ASE REQ.2 Derived security requirements ASE SPD.1 Security problem definition ASE TSS.1 TOE summary specification Tests activities (class ATE): ATE COV.2 Analysis of coverage ATE DPT.1 Testing: basic design ATE FUN.1 Functional testing ATE IND.2 Independent testing - sample Vulnerability assessment (class AVA): AVA VAN.5 Vulnerability analysis 27
29 Bibliography [1] Common Criteria for Information Technology Security Evaluation Part 1: Introduction and general model. (July 2009) 5 [2] Common Criteria for Information Technology Security Evaluation Part 2: Security functional components. (July 2009) 5 [3] Common Criteria for Information Technology Security Evaluation Part 3: Security assurance components. (July 2009) 5 [4] BSI: Algorithms for qualified electronic signatures (2014) 21 [5] Barker, E., Kelsey, J.: Recommendation for random number generation using deterministic random bit generators (revised). NIST Special Publication A (2012) 23 28
EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION
COMMON CRITERIA PROTECTION PROFILE EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION Draft Version 1.0 TURKISH STANDARDS INSTITUTION TABLE OF CONTENTS Common Criteria Protection Profile...
More informationCryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik
Common Criteria Protection Profile Cryptographic Modules, Security Level Enhanced BSI-CC-PP-0045 Endorsed by the Foreword This Protection Profile - Cryptographic Modules, Security Level Enhanced - is issued
More informationSAMSUNG SDS FIDO Server Solution V1.1 Certification Report
KECS-CR-15-73 SAMSUNG SDS FIDO Server Solution V1.1 Certification Report Certification No.: KECS-ISIS-0645-2015 2015. 9. 10 IT Security Certification Center History of Creation and Revision No. Date Revised
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Protection Profile for Software Full Disk Encryption, Version 1.1 Report Number: CCEVS-VR-PP-0003
More informationProtection Profile for Portable Storage Media (PSMPP) Common Criteria Protection Profile BSI-CC-PP-0081-2012 Version 1.0
Protection Profile for Portable Storage Media (PSMPP) Common Criteria Protection Profile BSI-CC-PP-0081-2012 Version 1.0 German Federal Office for Information Security PO Box 20 03 63 D-53133 Bonn Tel.:
More informationEnhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation
Enhanced Privacy ID (EPID) Ernie Brickell and Jiangtao Li Intel Corporation 1 Agenda EPID overview EPID usages Device Authentication Government Issued ID EPID performance and standardization efforts 2
More informationSP 800-130 A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter
SP 800-130 A Framework for Designing Cryptographic Key Management Systems 5/25/2012 Lunch and Learn Scott Shorter Topics Follows the Sections of SP 800-130 draft 2: Introduction Framework Basics Goals
More informationCertification Report
Certification Report EAL 4 Evaluation of SecureDoc Disk Encryption Version 4.3C Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification
More informationProtection Profile for Full Disk Encryption
Protection Profile for Full Disk Encryption Mitigating the Risk of a Lost or Stolen Hard Disk Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction to the PP...
More informationExtended Package for Mobile Device Management Agents
Extended Package for Mobile Device Management Agents 31 December 2014 Version 2.0 REVISION HISTORY Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 February 2014 Typographical changes
More informationProtection Profile for Voice Over IP (VoIP) Applications
Protection Profile for Voice Over IP (VoIP) Applications 21 October 2013 Version 1.2 Table of Contents 1 INTRODUCTION... 1 1.1 Overview of the TOE... 1 1.2 Usage of the TOE... 1 2 SECURITY PROBLEM DESCRIPTION...
More informationCommon Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP-0064. Version 1.01 (15 th April 2010)
Common Criteria Protection Profile for BSI-CC-PP-0064 Version 1.01 (15 th April 2010) Federal Office for Information Security Postfach 20 03 63 53133 Bonn Phone: +49 228 99 9582-0 e-mail: zertifizierung@bsi.bund.de
More informationA Draft Framework for Designing Cryptographic Key Management Systems
A Draft Framework for Designing Cryptographic Key Management Systems Elaine Barker Dennis Branstad Santosh Chokhani Miles Smid IEEE Key Management Summit May 4, 2010 Purpose of Presentation To define what
More informationCryptography and Key Management Basics
Cryptography and Key Management Basics Erik Zenner Technical University Denmark (DTU) Institute for Mathematics e.zenner@mat.dtu.dk DTU, Oct. 23, 2007 Erik Zenner (DTU-MAT) Cryptography and Key Management
More informationJoint Interpretation Library
for smart cards and similar devices Document purpose: provide requirements to developers and guidance to evaluators to fulfill the Security Architecture requirements of CC V3 ADV_ARC family. Version 2.0
More informationProtection Profile for Software Full Disk Encryption
Protection Profile for Software Full Disk Encryption Mitigating the Risk of a Lost or Stolen Hard Disk Information Assurance Directorate 14 February 2013 Version 1.0 Table of Contents 1 Introduction to
More informationQualified Electronic Signatures Act (SFS 2000:832)
Qualified Electronic Signatures Act (SFS 2000:832) The following is hereby enacted 1 Introductory provision 1 The purpose of this Act is to facilitate the use of electronic signatures, through provisions
More informationProtection Profile for the Security Module of a Smart Meter Gateway (Security Module PP)
Protection Profile for the Security Module of a Smart Meter Gateway (Security Module PP) Schutzprofil für das Sicherheitsmodul der Kommunikationseinheit eines intelligenten Messsystems für Stoff- und Energiemengen
More informationCertification Report
Certification Report EAL 4+ Evaluation of Entrust Authority Security Manager and Security Manager Administration v8.1 SP1 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationKorean National Protection Profile for Voice over IP Firewall V1.0 Certification Report
KECS-CR-16-36 Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report Certification No.: KECS-PP-0717-2016 2016. 6. 10 IT Security Certification Center History of Creation
More informationCommon Criteria Protection Profile. ArchiSafe Compliant Middleware (ACM_PP)
Common Criteria Protection Profile for an ArchiSafe Compliant Middleware for Enabling the Long-Term Preservation of Electronic Documents (ACM_PP) Version Date Author Remarks 1.0.0 31/10/08 Dr. Wolf Zimmer
More informationCommon Criteria Security Target For XenApp 6.0 for Windows Server 2008 R2 Platinum Edition
Common Criteria Security Target For XenApp 6.0 for Windows Server 2008 R2 Platinum Edition Version 1-0 7 February 2011 2011 Citrix Systems, Inc. All rights reserved. Summary of Amendments Version 1-0 7
More informationFingerprint Spoof Detection Protection Profile
Fingerprint Spoof Detection Protection Profile based on Organisational Security Policies FSDPP_OSP v1.7 Bundesamt für Sicherheit in der Informationstechnik Postfach 20 03 63 53133 Bonn Tel.: +49 228 99
More informationRandomized Hashing for Digital Signatures
NIST Special Publication 800-106 Randomized Hashing for Digital Signatures Quynh Dang Computer Security Division Information Technology Laboratory C O M P U T E R S E C U R I T Y February 2009 U.S. Department
More informationNational Information Assurance Partnership
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Gradkell Systems, Inc. DBsign for Client/Server Applications Version 3.0 Report Number: CCEVS-VR-05-0127
More informationCommon Criteria Protection Profile
Machine Readable Travel Document using Standard Inspection Procedure with PACE (PACE PP) Version 1.01, 22th July 2014 Foreword This Protection Profile Electronic Passport using Standard Inspection procedure
More informationCertification Report
Certification Report EAL 4+ Evaluation of ncipher nshield Family of Hardware Security Modules Firmware Version 2.33.60 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationMicrosoft Windows Common Criteria Evaluation
Microsoft Windows Common Criteria Evaluation Microsoft Windows 8 Microsoft Windows Server 2012 Full Disk Encryption Security Target Document Information Version Number 1.0 Updated On April 3, 2014 Microsoft
More informationCERTIFICATE. certifies that the. Info&AA v1.0 Attribute Service Provider Software. developed by InfoScope Ltd.
CERTIFICATE HUNGUARD Informatics and IT R&D and General Service Provider Ltd. as a certification authority assigned by the assignment document No. 001/2010 of the Minister of the Prime Minister s Office
More informationProtection Profile for Network Devices
Protection Profile for Network Devices Information Assurance Directorate 08 June 2012 Version 1.1 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM DESCRIPTION...
More informationProtection Profile for Email Clients
Protection Profile for Email Clients 1 April 2014 Version 1.0 Page 1 of 69 1 Introduction... 4 1.1 Overview of the TOE... 4 1.2 Usage of the TOE... 4 2 SECURITY PROBLEM DESCRIPTION... 6 2.1 Threats...
More informationCommon Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP-0061. Approved by the Federal Ministry of Interior. Version 1.
Common Criteria Protection Profile Approved by the Federal Ministry of Interior Version 1.03, 1 Common Criteria Protection Profile Version 1.03, Foreword This Protection Profile is issued by Bundesamt
More informationcollaborative Protection Profile for Full Drive Encryption - Encryption Engine January 26, 2015
PP Reference: collaborative Protection Profile for Full Drive Encryption - Encryption Engine collaborative Protection Profile for Full Drive Encryption - Encryption Engine January 26, 2015 Version 1.0
More informationIntroduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...
Hush Encryption Engine White Paper Introduction...3 Terms in this Document...3 Conditions for Secure Operation...3 Requirements...3 Key Generation Requirements...4 Passphrase Requirements...4 Data Requirements...4
More informationSamsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target
Samsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target Version 0.6 2015/05/08 Prepared for: Samsung SDS 123, Olympic-ro 35-gil, Songpa-gu, Seoul, Korea 138-240 Prepared By: www.gossamersec.com
More informationcollaborative Protection Profile for Network Devices
collaborative Protection Profile for Network Devices Version 0.1 05-Sep-2014 Acknowledgements This collaborative Protection Profile (cpp) was developed by the Network international Technical Community
More informationCertification Report
Certification Report McAfee Network Security Platform v7.1 (M-series sensors) Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationRecommendation for Cryptographic Key Generation
NIST Special Publication 800-133 Recommendation for Cryptographic Key Generation Elaine Barker Allen Roginsky http://dx.doi.org/10.6028/nist.sp.800-133 C O M P U T E R S E C U R I T Y NIST Special Publication
More informationCommon Criteria for Information Technology Security Evaluation Protection Profile. General-Purpose Operating System Protection Profile
Common Criteria for Information Technology Security Evaluation Protection Profile General-Purpose Operating System Protection Profile 09 09 2013 Table of contents Table of Contents 1 INTRODUCTION... 7
More informationcollaborative Protection Profile for Full Drive Encryption Authorization Acquisition January 26, 2015
PP Reference: collaborative Protection Profile for Full Drive Encryption Authorization Acquisition collaborative Protection Profile for Full Drive Encryption Authorization Acquisition January 26, 2015
More informationCisco Trust Anchor Technologies
Data Sheet Cisco Trust Anchor Technologies Overview Cisco Trust Anchor Technologies provide the foundation for trustworthy systems across Cisco. The Cisco Trust Anchor and a Secure Boot check of signed
More informationMobile Billing System Security Target
Mobile Billing System Security Target Common Criteria: EAL1 Version 1.2 25 MAY 11 Document management Document identification Document ID Document title Product version IDV_EAL1_ASE IDOTTV Mobile Billing
More informationHow To Test A Toe For Security
Supporting Document Mandatory Technical Document Evaluation Activities for Network Device cpp September-2014 Version 0.1 CCDB- Foreword This is a supporting
More informationCommon Criteria. Introduction 2014-02-24. Magnus Ahlbin. Emilie Barse 2014-02-25. Emilie Barse Magnus Ahlbin
Common Criteria Introduction 2014-02-24 Emilie Barse Magnus Ahlbin 1 Magnus Ahlbin Head of EC/ITSEF Information and Security Combitech AB SE-351 80 Växjö Sweden magnus.ahlbin@combitech.se www.combitech.se
More informationProtection Profile for Server Virtualization
Protection Profile for Server Virtualization 29 October 2014 Version 1.0 i 0 Preface 0.1 Objectives of Document This document presents the Common Criteria (CC) Protection Profile (PP) to express the fundamental
More informationCentral Agency for Information Technology
Central Agency for Information Technology Kuwait National IT Governance Framework Information Security Agenda 1 Manage security policy 2 Information security management system procedure Agenda 3 Manage
More informationPulse Secure, LLC. January 9, 2015
Pulse Secure Network Connect Cryptographic Module Version 2.0 Non-Proprietary Security Policy Document Version 1.1 Pulse Secure, LLC. January 9, 2015 2015 by Pulse Secure, LLC. All rights reserved. May
More informationSecure cloud access system using JAR ABSTRACT:
Secure cloud access system using JAR ABSTRACT: Cloud computing enables highly scalable services to be easily consumed over the Internet on an as-needed basis. A major feature of the cloud services is that
More informationProtection Profiles for TSP cryptographic modules Part 1: Overview
Date: 2015-08 prts 419221-1:2015 Protection Profiles for TSP cryptographic modules Part 1: Overview Document type: Technical Specification Document language: E Contents Introduction...3 1 Scope...4 2 References...4
More informationSupporting Document Guidance. Security Architecture requirements (ADV_ARC) for smart cards and similar devices. April 2012. Version 2.
Supporting Document Guidance Security Architecture requirements (ADV_ARC) for smart cards and similar devices April 2012 Version 2.0 CCDB-2012-04-003 Foreword This is a supporting document, intended to
More informationCertification Report
Certification Report EAL 2+ Evaluation of Symantec Endpoint Protection Version 11.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Cisco Intrusion Detection System Sensor Appliance IDS-4200 series Version 4.1(3) Report
More informationSupporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February-2015. Version 1.
Supporting Document Mandatory Technical Document Evaluation Activities for Stateful Traffic Filter Firewalls cpp February-2015 Version 1.0 CCDB-2015-01-002 Foreword This is a supporting document, intended
More informationSecurity Standards. 17.1 BS7799 and ISO17799
17 Security Standards Over the past 10 years security standards have come a long way from the original Rainbow Book series that was created by the US Department of Defense and used to define an information
More informationEAL4+ Security Target
EAL4+ Security Target Common Criteria: EAL4 augmented with ALC_FLR.3 Version 1.0 21-DEC-10 Document management Document identification Document ID Document title Release authority E14_EAL4_ASE Microsoft
More informationUnderstanding and Integrating KODAK Picture Authentication Cameras
Understanding and Integrating KODAK Picture Authentication Cameras Introduction Anyone familiar with imaging software such as ADOBE PHOTOSHOP can appreciate how easy it is manipulate digital still images.
More informationSecurity Target. Astaro Security Gateway V8 Packet Filter Version 1.000. Assurance Level EAL4+ Common Criteria v3.1
Astaro Security Gateway V8 Packet Filter Version 1.000 Assurance Level EAL4+ Common Criteria v3.1 This Security Target also covers the secunet wall 2 packet filter Version : 1.03 Date: 2011-05-20 Author:
More informationPart I. Universität Klagenfurt - IWAS Multimedia Kommunikation (VK) M. Euchner; Mai 2001. Siemens AG 2001, ICN M NT
Part I Contents Part I Introduction to Information Security Definition of Crypto Cryptographic Objectives Security Threats and Attacks The process Security Security Services Cryptography Cryptography (code
More informationCommon Criteria Security Target
Common Criteria Security Target for Citrix XenDesktop 5.6 Platinum edition Version 1-1 16 November 2012 2012 Citrix Systems, Inc. All rights reserved Summary of Amendments Version Date Notes 1-1 16 November
More informationTransitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths
NIST Special Publication 800-131A Transitions: Recommendation for Transitioning the Use of Cryptographic Algorithms and Key Lengths Elaine Barker and Allen Roginsky Computer Security Division Information
More informationCOMMON CRITERIA PROTECTION PROFILE. for SECURE COMMUNICATION MODULE FOR WATER TRACKING SYSTEM (SCM-WTS PP)
COMMON CRITERIA PROTECTION PROFILE for SECURE COMMUNICATION MODULE FOR WATER TRACKING SYSTEM (SCM-WTS PP) Revision No 1.1 Revision Date 11.07.2014 Document Code File Name SCM-WTS PROTECTION PROFILE Prepared
More informationArchived NIST Technical Series Publication
Archived NIST Technical Series Publication The attached publication has been archived (withdrawn), and is provided solely for historical purposes. It may have been superseded by another publication (indicated
More informationAustralasian Information Security Evaluation Program
Australasian Information Security Evaluation Program Juniper Networks, Inc. JUNOS 12.1 X46 D20.6 for SRX-Series Platforms Certification Report 2015/90 3 July 2015 Version 1.0 Commonwealth of Australia
More informationVICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui
VICTORIA UNIVERSITY OF WELLINGTON Te Whare Wānanga o te Ūpoko o te Ika a Māui School of Engineering and Computer Science Te Kura Mātai Pūkaha, Pūrorohiko PO Box 600 Wellington New Zealand Tel: +64 4 463
More informationA Secure Decentralized Access Control Scheme for Data stored in Clouds
A Secure Decentralized Access Control Scheme for Data stored in Clouds Priyanka Palekar 1, Abhijeet Bharate 2, Nisar Anjum 3 1 SKNSITS, University of Pune 2 SKNSITS, University of Pune 3 SKNSITS, University
More informationProtection Profile for Wireless Local Area Network (WLAN) Access Systems
Protection Profile for Wireless Local Area Network (WLAN) Access Systems Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction to the PP... 1 1.1 PP Overview of
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationSecurity Target for PalmSecure
Version 1.0 14.September 2008 BSI-DSZ-CC-0511 All Rights Reserved Copyright Fujitsu Limited 2008 this page was intentionally left blank 14.September 2008 All Rights Reserved Copyright Fujitsu Limited 2008
More informationcollaborative Protection Profile for Full Drive Encryption - Encryption Engine
PP Reference: collaborative Protection Profile for collaborative Protection Profile for Full Drive Encryption - Encryption Engine Version 0. Acknowledgements This collaborative Protection Profile (cpp)
More informationNational Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy. Version 1.1. February 2, 2016
National Identity Exchange Federation (NIEF) Trustmark Signing Certificate Policy Version 1.1 February 2, 2016 Copyright 2016, Georgia Tech Research Institute Table of Contents TABLE OF CONTENTS I 1 INTRODUCTION
More informationElectronic Voting Protocol Analysis with the Inductive Method
Electronic Voting Protocol Analysis with the Inductive Method Introduction E-voting use is spreading quickly in the EU and elsewhere Sensitive, need for formal guarantees Inductive Method: protocol verification
More informationCertification Report - Firewall Protection Profile and Firewall Protection Profile Extended Package: NAT
Template: CSEC_mall_doc.dot, 7.0 Ärendetyp: 6 Diarienummer: 14FMV10188-21:1 Dokument ID CB-015 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2015-06-12 Country of origin: Sweden Försvarets
More informationNational Information Assurance Partnership
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Security Requirements for Voice Over IP Application Protection Profile for Mobility Voice
More informationSecurity Requirements for Network Devices
Security Requirements for Network Devices Information Assurance Directorate 10 December 2010 Version 1.0 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM
More informationSSL A discussion of the Secure Socket Layer
www.harmonysecurity.com info@harmonysecurity.com SSL A discussion of the Secure Socket Layer By Stephen Fewer Contents 1 Introduction 2 2 Encryption Techniques 3 3 Protocol Overview 3 3.1 The SSL Record
More informationLessons learnt in writing PP/ST. Wolfgang Killmann T-Systems
Lessons learnt in writing PP/ST Wolfgang Killmann T-Systems Overview of the talk Lessons learnt in writing PP/ST Practical experience of PP/ST writing Issues with and suggestions for PP/ST writing Conformance
More informationProtection Profile for the Gateway of a Smart Metering System (Smart Meter Gateway PP)
1 2 3 4 Protection Profile for the Gateway of a Smart Metering System (Smart Meter Gateway PP) Schutzprofil für die Kommunikationseinheit eines intelligenten Messsystems für Stoff- und Energiemengen 5
More informationNeutralus Certification Practices Statement
Neutralus Certification Practices Statement Version 2.8 April, 2013 INDEX INDEX...1 1.0 INTRODUCTION...3 1.1 Overview...3 1.2 Policy Identification...3 1.3 Community & Applicability...3 1.4 Contact Details...3
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report TM HP Network Node Management Advanced Edition Software V7.51 with patch PHSS_35278 Report
More informationCourtesy Translation
Direction centrale de la sécurité des systèmes d information Protection Profile Electronic Signature Creation Application Date : July 17th, 2008 Reference : Version : 1.6 Courtesy Translation Courtesy
More informationChap. 1: Introduction
Chap. 1: Introduction Introduction Services, Mechanisms, and Attacks The OSI Security Architecture Cryptography 1 1 Introduction Computer Security the generic name for the collection of tools designed
More informationCESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC)
CESG ASSURED SERVICE CAS SERVICE REQUIREMENT PSN CA (IPSEC) Version 1.0 Crown Copyright 2016 All Rights Reserved Page 1 Document History Version Date Description 1.0 October 2013 Initial issue Soft copy
More informationSecuware Virtual System (SVS)
Secuware Virtual System (SVS) SECURITY TARGET EAL2 Copyright 2008 by SECUWARE All rights reserved. The information in this document is exclusive property of SECUWARE and may not be changed without express
More informationSecurity Target. Security Target SQL Server 2008 Team. Author: Roger French Version: 1.04 Date: 2011-09-26
SQL Server 2008 Team Author: Roger French Version: 1.04 Date: 2011-09-26 Abstract This document is the (ST) for the Common Criteria certification of the database engine of Microsoft SQL Server 2008 R2.
More informationComputer and Network Security
Computer and Network Security Common Criteria R. E. Newman Computer & Information Sciences & Engineering University Of Florida Gainesville, Florida 32611-6120 nemo@cise.ufl.edu Common Criteria Consistent
More informationMicrosoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team
Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team Author: Microsoft Corp. Version: 1.0 Last Saved: 2011-03-10 File Name: MS_UAG_ST_1.0.docx
More informationProtection Profile for Mobile Device Management
Protection Profile for Mobile Device Management 7 March 2014 Version 1.1 1 Revision History Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 March 2014 Typographical changes and clarifications
More informationUSB Portable Storage Device: Security Problem Definition Summary
USB Portable Storage Device: Security Problem Definition Summary Introduction The USB Portable Storage Device (hereafter referred to as the device or the TOE ) is a portable storage device that provides
More informationCertification Report
Certification Report EAL 3+ Evaluation of Rapid7 Nexpose Vulnerability Management and Penetration Testing System V5.1 Issued by: Communications Security Establishment Canada Certification Body Canadian
More informationCertification Report
Certification Report McAfee Enterprise Mobility Management 12.0 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationIBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target
IBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target Version: Status: Last Update: 1.19 Released 2014-03-05 Trademarks
More informationCertification Report
Certification Report EAL 4+ Evaluation of BlackBerry Enterprise Server version 5.0.0 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationMicrosoft Windows Common Criteria Evaluation
Microsoft Windows Common Criteria Evaluation Microsoft Windows 8 Microsoft Windows RT Microsoft Windows Server 2012 IPsec VPN Client Security Target Document Information Version Number 1.0 Updated On January
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationISO/IEC 27002:2013 WHITEPAPER. When Recognition Matters
When Recognition Matters WHITEPAPER ISO/IEC 27002:2013 INFORMATION TECHNOLOGY - SECURITY TECHNIQUES CODE OF PRACTICE FOR INFORMATION SECURITY CONTROLS www.pecb.com CONTENT 3 4 5 6 6 7 7 7 7 8 8 8 9 9 9
More informationCertification Report
Certification Report EAL 3+ Evaluation of AccessData Cyber Intelligence and Response Technology v2.1.2 Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria
More informationSecurity Target. McAfee Enterprise Mobility Management 12.0. Document Version 1.16
Security Target McAfee Enterprise Mobility Management 12.0 Document Version 1.16 September 17, 2014 Prepared For: Prepared By: McAfee, Inc. 2821 Mission College Blvd. Santa Clara, CA 95054 Primasec Ltd
More information