Lessons learnt in writing PP/ST. Wolfgang Killmann T-Systems

Similar documents
Build a CC assurance package dedicated to your risk assessment. Francois GUERIN Security Program Manager francois.guerin@gemalto.

SAMSUNG SDS FIDO Server Solution V1.1 Certification Report

Common Criteria v3.1 Vulnerability Assessment: What is new?

Common Criteria for Information Technology Security Evaluation. Part 3: Security assurance components. September Version 3.

Common Methodology for Information Technology Security Evaluation. Evaluation methodology. September Version 3.1 Revision 4 CCMB

Supporting Document Guidance. Smartcard Evaluation. February Version 2.0 CCDB

Joint Interpretation Library. Guidance for smartcard evaluation

Joint Interpretation Library

Security Target. Astaro Security Gateway V8 Packet Filter Version Assurance Level EAL4+ Common Criteria v3.1

Certification Report

Guidelines for Developer Documentation

CERTIFICATION REPORT

BSI-DSZ-CC-S for. Dream Chip Technologies GmbH Germany. Dream Chip Technologies GmbH

CERTIFICATION REPORT

Certification Report StoneGate FW/VPN 5.2.5

BSI-CC-PP for. Cryptographic Modules, Security Level "Enhanced", Version from. Bundesamt für Sicherheit in der Informationstechnik

BSI-DSZ-CC-S for. GLOBALFOUNDRIES Singapore Pte. Ltd. GLOBALFOUNDRIES Singapore Pte. Ltd.

BSI-DSZ-CC for. tru/cos tacho v1.1. from. Trueb AG

Fingerprint Spoof Detection Protection Profile

Joint Interpretation Library

Certification Report. NXP J3E145_M64, J3E120_M65, J3E082_M65, J2E145_M64, J2E120_M65, and J2E082_M65 Secure Smart Card Controller Revision 3

Supporting Document Guidance. Security Architecture requirements (ADV_ARC) for smart cards and similar devices. April Version 2.

BSI-DSZ-CC for

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP) BSI-CC-PP Approved by the Federal Ministry of Interior. Version 1.

Security Domain Separation as Prerequisite for Business Flexibility. Igor Furgel T-Systems

BSI-DSZ-CC for. Digital Tachograph EFAS-4.0, Version 02. from. intellic GmbH

Certificate Issuing and Management Components Protection Profile. Version 1.5

Firewall Protection Profile V

BSI-DSZ-CC for. NXP J3A081, J2A081 and J3A041 Secure Smart Card Controller Revision 3. from. NXP Semiconductors Germany GmbH

BSI-DSZ-CC for. Oracle Database 11g Release 2 Enterprise Edition. from. Oracle Corporation

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Technical Security in Smart Metering Devices: A German Perspective S4 SCADA Security Scientific Symposium , Miami Beach FL / USA

BSI-DSZ-CC For. Microsoft Windows Server 2008 R2 Hyper-V, Release from. Microsoft Corporation

Using Common Criteria Evaluations to Improve Healthcare Cybersecurity

Security IC Platform Protection Profile

BSI-DSZ-CC for. Microsoft SQL Server 2012 Database Engine Enterprise Edition x64 (English), Version (including Service Pack 1)

BSI-DSZ-CC for. IBM Tivoli Access Manager for e-business version FP4 with IBM Tivoli Federated Identity Manager version 6.2.

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

22 July, 2010 IT Security Center (ISEC) Information-technology Promotion Agency (IPA) Copyright 2010 Information-Technology Promotion Agency, Japan 1

Joint Interpretation Library. Security Evaluation and Certification of Digital Tachographs

BSI-DSZ-CC for. LANCOM Systems Operating System LCOS 8.70 CC with IPsec VPN. from. LANCOM Systems GmbH

Protection Profile for UK Dual-Interface Authentication Card

Secuware Virtual System (SVS)

BSI-DSZ-CC for. MN67S150 Smart Card IC Version RV08 including IC Dedicated Software. from. Panasonic Semiconductor Solutions Co., Ltd.

Xceedium GateKeeper Version Security Target

BSI-DSZ-CC for. Microsoft Forefront Threat Management Gateway 2010 Version / Build from. Microsoft Corporation

CA CA, Inc. Identity Manager 12.5 Identity Manager r12.1 Security Target

Common Criteria Protection Profile. Electronic Identity Card (ID_Card PP)

Security Target. NetIQ Access Manager 4.0. Document Version August 7, Security Target: NetIQ Access Manager 4.0

gateprotect Firewall Packet-Filtering-Core v10.3 Security Target Version:

Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report

CardOS V4.4 CNS. Edition 04/2010. Security Target CardOS V4.4 CNS with Application for QES

BSI-DSZ-CC for. JBoss Enterprise Application Platform 5 Version and from. Red Hat

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

Trustwave DbProtect Version Security Target

CERTIFICATION REPORT

Enterasys Networks, Inc. Netsight/Network Access Control v Security Target

Details for the structure and content of the ETR for Site Certification. Version 1.0

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

Common Criteria Protection Profile

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN CERTIFICATION REPORT

IBM DB2 Version 10.1 Enterprise Server Edition for Linux, Unix, and Windows (CC Configuration) Security Target

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN CERTIFICATION REPORT

Developing a new Protection Profile for (U)SIM UICC platforms. ICCC 2008, Korea, Jiju Septembre 2008 JP.Wary/M.Eznack/C.Loiseaux/R.

U.S. Government Protection Profile for Database Management Systems

Compucat Research Pty Limited 14 Wales St, Belconnen ACT 2617 ABN

CERTIFICATION REPORT

Certification Report BSI-DSZ-CC for. Renesas AE45C1 (HD65145C1) Smartcard Integrated Circuit Version 01. from. Renesas Technology Corp.

EMC Corporation Data Domain Operating System Version Security Target. Evaluation Assurance Level (EAL): EAL2+ Document Version: 0.

SenSage, Inc. SenSage Security Target. Evaluation Assurance Level: EAL2+ Document Version: 1.2

Security Target for Cisco Secure PIX Firewall 515, 520, 525 Version 5.2(3)

Security Target Lite STARCOS 3.4 Health HBA C1

Certification Report. NXP Secure Smart Card Controller P40C012/040/072 VD

Common Criteria V3.1. Evaluation of IT products and IT systems

How To Understand The Toe

Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team

Smartcard IC Platform Protection Profile

How To Evaluate A Security Target Of Evaluation (Toe)

JMCS Northern Light Video Conferencing System Security Target

ETSI TS V4.2.3 ( ) Technical Specification

Security Target. McAfee Enterprise Mobility Management Document Version 1.16

Open XML Open Packaging Conventions Low Assurance Security Target

Security Target. McAfee Enterprise Mobility Management 9.7. Document Version 0.9. July 5, 2012

Security Target. Securonix Security Intelligence Platform 4.0. Document Version January 9, 2015

Certification Report. SafeNet Luna PCI configured for use in Luna SA (RF) with Backup

Transcription:

Lessons learnt in writing PP/ST Wolfgang Killmann T-Systems

Overview of the talk Lessons learnt in writing PP/ST Practical experience of PP/ST writing Issues with and suggestions for PP/ST writing Conformance claim to PP Use of conformance claims Discussion of strict and demonstrable conformance Relation between functional and assurance requirements Resistance against attacks claimed in PP/ST Understanding of attack potential Different resistance against attacks within a product?

General aspects of PP usage PP are widely used PPs are issued by governmental organisations expressing legal requirements PP Secure signature-creation devices (developed by CEN, referenced by EU commission, BSI-PP-{0004,0005,0006}) PP Machine readable traveller documents (MRTD) Basic access control (FMI Germany, BSI-PP-0026-2006) Extended access control (FMI Germany, BSI-PP-0026-2006) PPs are developed by vendors to establish industrial security baseline PP Security integrated circuits (Eurosmart vendors group, BSI-PP-0002, BSI-PP-0035) PP PC client specific trusted platform module PC (PP PC specific TPM, Trusted Computing Group, BSI-PP-00??) PPs may address security of specific IT product or IT system types ehealth smart cards, terminals, server (ehealth connector)

General aspects of PP usage 2 roles of PP PPs are issued to express minimum security requirements from user point of view. The PP developers may follow the PP/ST guidance often ask for help by CC specialists (as editor) to write their PP PPs are used to write STs for product evaluation. Therefore CC part 1 describes the concept of PP and ST PP have to meet the assurance class APE These 2 roles are sometimes in conflict PP should be easy readable for customers but CC are not easy to understand. Strong concepts are necessary for evaluation but limit the applicability of PPs. Open issues make development and application of PPs difficult.

Conformance claim Mandatory parts according to CC version 2.3 If ST claims conformance the ST shall include from PP and may extend the PP parts security objectives (SO) for the TOE, security functional requirements (SFR) for the TOE security assurance requirements (SAR) for TOE Threats Org. Sec. Policies Assumptions Sec. funct. req. TOE Sec. Objectives for TOE Sec. ass. requir. Mandatory part of PP going into the ST Sec. Objectives Environment Sec. funct. req. IT Environment Non-IT Sec. Requirements

Conformance claim Mandatory parts according to CC version 3.1 PP may require strict or allow demonstrable conformance strict: mandatory threats, policies, assumptions (SPD) SO for the TOE, security requirements for the TOE (SFR, SAR) forbidden to modify assumptions, add SO for operational environment demonstrable: PP/ST provides rationale of being more restrictive than the claimed PP Threats Org. Sec. Policies Assumptions Sec. funct. requ. TOE Sec. Objectives for TOE Sec. ass. requirements Sec. Objectives for Oper. Envir. Strict conformance: mandatory part of PP going into the ST Demonstrable conf.: ST parts more strict than PP parts May be shifted to TOE NO additional SOE

Conformance claim Example: PP secure signature-creation device PP SSCD TCSCA epurse application with additional security objectives for operational environment contactless secure messaging PP SSCD contact based clear text 12345 678910 SSCD epurse Monika Musterfrau Shall we perform separate evaluations only because of changed environment?

Conformance claim Issues and Suggestion for strict conformance claim Issues of strict conformance (CC p1, sec. D2): over-defined (by SPD): conflicts if TOE provides additional security services in the ST or claiming conformance to additional PPs Suggestion for strict conformance PP/ST claiming conformance to a PP shall include all security objectives for the TOE all security functional requirements all (or hierarchically higher) security assurance requirements The security objectives for the operational environment must not contradict the security objectives for the TOE (consistency). The PP/ST may contain additional assumptions and security objectives for the operational environment if they relate to additional security services provided by the TOE of the PP/ST.

Conformance claim Suggestion for strict conformance claim Possible synergy of PP A and PP/ST B Threats (A and B) Org. Sec. Policies (A and B) Assumptions (A and B) PP A PP/ST B Sec. objectives for oper. envir.* Sec. objectives for TOE in PP A consistency Sec. objectives for TOE in PP B Sec. objectives for oper. envir.* common set of SFR consistency Set A of SFR Superset of SAR set A and B Set B of SFR consistency

Conformance claim Suggestion for demonstrable conformance claim Issue of demonstrable conformance (CC part 1, D.2) all TOEs that meet the PP also meet ST (wrong) all environments that meet SPD of PP also meet SPD of ST (very strong) The criteria for more restrictive and the degree of freedom for conformance rationale are not clearly stated. Suggestion for demonstrable conformance: Definition of rules how the rationale may demonstrate that all TOEs that meet the ST also meet the PP: Set of SO for TOE in the PP/ST includes all SO for TOE in the PP. For identified SO for TOE the PP/ST may define different SFR than the PP. Set of SAR in the PP/ST includes all or hierarchically higher SAR in the PP.

Functional and assurance requirements Which level of EAL and resistance to be claimed in PP/ST Resistance against attacks high moderate enh. basic EAL2 basic EAL1 EAL4 EAL3 EAL7 EAL6 EAL5 Security assurance requirements Security functional requirements

Security functional requirements Relation between PP/ST and specification {APE,ASE}_REQ.2.7C: SFR shall be suitable to meet the security objectives of the TOE. This is rather a requirement but also a way to find the appropriate SFR. Example: PP Secure signature-creation device, PP MRTD, In some cases a functional specification is given and the PP/ST writer has to reconstruct the SPD and the SO. Examples: PP PC client specific TPM, PP ehealth server, Specifications aim on interoperability and describe functionality on ADV_FSP level, but typically without any SPD or SO. This result in issues of PP development: How to decide whether a function is a security function to be evaluated? How to determine appropriateness and completeness of SFR? How to ensure compatibility of PP for the components in an IT system? E. g. German ehealth care project: 11 PPs for server, terminals, smart cards

Resistance against attacks Which level of EAL and resistance to be claimed in PP/ST AVA_VAN.4 AVA_VAN.5 high AVA_VAN.3 moderate enhancedbasic basic AVA_VAN.1 AVA_VAN.2 EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 EAL3+ADV_TDS.3+ADV_IMP.1+...

Resistance against attacks Understanding of resistance How to determine the necessary resistance to attacks in terms of generic levels? Consider value of the assets to protect Example: PP PC client specific TPM what is the value of the cryptographic key in CC terms of attack potential? Example: PP Point of interaction (electronic cash terminal) The PCI scheme measures the values of data and effort of attacks in money. PIN at smart card interfaces >14-16k$; PIN >25k$; keys >35k$ Consider the threat environment Example: PP PC client specific TPM Is there any key in the TPM, which is secret for the end-user? Specific attack potential quotation tables shall be used for physical attacks Analyze attack potential of physical attacks relevant for the TPM Example: PP Security IC Smart cards in the lab of the attacker all kinds of physical attacks

Resistance against attacks Examples: different resistance for a product Machine readable traveller document (MRTD) Personal data of the document holder: enhanced-basic Biometric data of the document holder (fingerprint, iris scan): high ehealth server (ehealth connector) Protection of local medical data: enhanced-basic Signature application for qualified electronic signature: high Encryption of medical data: high Point of interaction (terminal for credit cards) transaction data: basic card holder PIN: moderate cryptographic key: high

Resistance against attacks Evaluation workflow of homogenous TOE Life-cycle support ALC_DVS.1 ALC_LCD.1 ALC_CMS.4 ALC_CMC.4 ALC_TAT.1 ALC_DEL.1 ST Guidance documentation Vulnerability assessment ASE AGD_PRE.1 AGD_OPE.1 AVA_VAN.4 ETR ADV_ARC.1 ADV_FSP.4 ADV_TDS.3 Development ADV_IMP.1 ATE_FUN.1 ATE_COV.2 ATE_DPT.2 Tests ATE_IND.2

Resistance against attacks Suggested solution: mainly same EAL, different resistance TOE SFR set A: EAL4, TOE SFR set B: EAL4+AVA_VAN.5 Life-cycle support ALC_DVS.1 ALC_LCD.1 ST A ALC_CMS.4 ALC_CMC.4 ALC_TAT.1 ALC_DEL.1 Vulnerability assessment ASE (EAL4) Guidance documentation AVA_VAN.2 ETR A AGD_PRE.1 AGD_OPE.1 ASE (EAL4+) ST B ADV_FSP.4 ADV_ARC.1 ADV_TDS.3 ADV_IMP.1 Development ATE_FUN.1 AVA_VAN.5 ETR B ATE_COV.2 ATE_IND.2 ATE_DPT.2 Tests

Resistance against attacks Suggested solution: different EAL and resistance TOE SFR set A: EAL3, TOE SFR set B: EAL4+AVA_VAN.5 Life-cycle support ALC_DVS.1 ALC_LCD.1 ST A ALC_CMS.4 ALC_CMC.4 ALC_TAT.1 ALC_DEL.1 Vulnerability assessment ASE (EAL3) Guidance documentation AVA_VAN.2 ETR A AGD_PRE.1 AGD_OPE.1 ASE (EAL4+) ST B ADV_ARC.1* AVA_VAN.5 ATE_COV.2 ETR B TOE SO/SFR set A: ADV_FSP.3 ADV_TDS.2 ATE_FUN.1 ATE_DPT.1 ATE_IND.2 TOE SO/SFR set B: ADV_FSP.4 ADV_TDS.3 ADV_IMP.1 ATE_DPT.2 Development Tests

Resistance against attacks Suggestion for a future CC version A future version of CC may allow for PP and ST with different resistance claims AVA_VAN components are linked to non-overlapping sets of security objectives for TOE non-overlapping sets of SFR dependencies of the AVA_VAN components shall be solved by sets of SAR Sets of SARs will be applied for the TSF parts implementing the relevant SFR Threats Org. Sec. Policies Assumptions Set A of TOE Objectives Set A of SFR Set B of TOE Objectives Set B of SFR AVA_VAN.a other SAR AVA_VAN.b add. SAR

Conclusion PPs are successfully widely used for a huge number of TOE types. The intention of the PP issuer is transferred to the product evaluation through the conformance claim. The conformance claim framework of CC should be improved for practical usage. Suggestion are made for appropriate changes. Definition of security objectives, SFR and SAR, especially AVA_VAN component(s), are crucial for the PP, the ST and the whole evaluation process. In order to chose appropriate AVA_VAN component the PP issuer shall have a clear understanding of the value of the assets, the threat environment and the CC attack potential quotation for the TOE product type. The TOE may provide different resistance against attacks for different assets. The evaluation should base on 2 ST and result in 2 certificates. Future CC versions might allow for 1 ST, 1 evaluation and 1 certificate.

Thank you for your attention. Any question? Wolfgang Killmann T-Systems GEI GmbH D-5311 Bonn, Rabinstrasse 8 wolfgang.killmann@t-systems.com

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information