PP-/ST-Guide
advertisement
BSI activities in developing PPs and the BSI-PP/ST-Guide Frank Grefrath Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security ICCC September 2007 Agenda BSI-activities in PP-certification Introduction of the PP “Digitales Wahlstift-System, V. 1.0.1“ Introduction of the BSI-PP/ST-Guide Frank Grefrath September 2007 Slide 2 Recently certified PPs in BSI-CC-Scheme BSI-PP-0031-2007: “Protection Profile Digitales WahlstiftSystem, V. 1.0.1“ The PP defines the minimum requirements for IT-security of systems for technical assistance in elections on the basis of a digital election pen BSI-PP-0034-2007: “Mobile Synchronisation Services Protection Profile, V. 1.1” The purpose of such a system is to provide secure remote access of mobile users (e.g. using a PDA) to e-mail or PIM (personal information management) services located in a company’s intranet Frank Grefrath September 2007 Slide 3 Recently certified PPs in BSI-scheme BSI-PP-0035-2007: „Security IC Platform Protection Profile” (Update of BSI-PP-0002-2001) The defined TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact-based and/or contactless) and volatile and non-volatile memories (hardware) Different PPs for the German electronic health systems are currently under evaluation Frank Grefrath September 2007 Slide 4 Protection Profile for a digital election system System Overview A digital election system which is compliant to the PP serves for electronic assistance in complex elections The voter makes his votes with a digital pen on a special kind of paper The camera of the pen records his votes and then the data is transferred to a PC There the data is analysed, the votes are counted automatically and a protection against manipulation of the election result is generated Frank Grefrath September 2007 Slide 5 Protection Profile for a digital election system Motivation / Benefit Voting takes place in a familiar way for the voter making crosses with a pen on paper Vote counting can be carried out much faster and easier Typical failures in manual counting can be avoided In cases of doubt the electronic election result can be controlled by manually counting the paper ballots Complex elections can be conducted without great manpower requirements Frank Grefrath September 2007 Slide 6 Protection Profile for a digital election system Main IT-Security Features Recording the votes on the paper ballots with the pen Transferring the election data to a PC via USB Storing the data on the PC without being traceable to the voter Analysing the votes and dividing them into valid, doubtable and invalid votes Judging of the doubtable votes by the scrutineers Automatic calculation of the election result Generation and display of a proof of origin Logging of security relevant events Frank Grefrath September 2007 Slide 7 Protection Profile for a digital election system Physical Boundaries of the TOE Hardware: Digital election pens and docking stations Firmware: Firmware of the digital election pen Software: Frank Grefrath Recording the marks on the paper TOE application software for Controlling the pens Storing of the election data during the election Judging and counting the votes Generating a proof of origin Logging security relevant events September 2007 Slide 8 Protection Profile for a digital election system TOE Security Environment The PP contains assumptions covering the following aspects: Usage assumptions resulting from the German election law Trustworthy and carefully working administrators and scrutineers Correctly and securely configured PC platform The TOE counters the following threats: Disclosure of election data and protocol data Disturbance and manipulation of the technical procedures Unrealised manipulation of the election pen and the election result Successful tracing between election data and voter Frank Grefrath September 2007 Slide 9 Protection Profile for a digital election system General Regulations Validity: Valid until June 30th, 2008 CC Assurance level: EAL 3 Combined evaluation: EAL3-CC-certification by the BSI Approval by the Physikalisch Technische Bundesanstalt according to the German election law with source code analysis and emission measurement Frank Grefrath September 2007 Slide 10 BSI PP/ST-Guide Introduction CC, Version 3.1 Intended audience for the guide: PP/ST-readers, with less or without CC-knowledge PP/ST-writers Evaluators, certifiers Frank Grefrath September 2007 Slide 11 BSI PP/ST-Guide Structure of the guide What is the purpose of PPs/STs? Which role does a PP play when purchasing a product? Reading PPs/STs Writing of PPs in two different methods Stove-piping method Explanation method Writing of STs Frank Grefrath September 2007 Slide 12 BSI PP/ST-Guide Stove-Piping-Method Procedure: Determine which SFRs for the TOE and which security objectives for the operational environment are desired Create a single security objective for the TOE for each SFR Create an OSP for each security objective for the TOE Create an assumption for each security objective for the operational environment Write the remaining chapters (PP introduction and conformance claims) Frank Grefrath September 2007 Slide 13 BSI PP/ST-Guide Stove-Piping-Method Advantages: Simple and fast method to write a PP The PP almost automatically meets many of the requirements of the APE-class Disadvantages: The question why the TOE implements the description of the PP is not answered The PP merely states on three different levels (TOE security environment, security objectives, SFRs) “This is what the TOE does.” Frank Grefrath September 2007 Slide 14 BSI PP/ST-Guide Explanation Method - Overview Focus is lying on deriving the various items in a PP, rather than simply stating them. Procedure (part 1): Write the conformance claims Analyse the OSPs Analyse the threats Frank Grefrath Derive the security objectives for the TOE and the operational environment including the security objectives rationale September 2007 Slide 15 BSI PP/ST-Guide Explanation Method - Overview Procedure (part 2): Derive the SFRs including the Security Requirements Rationale Define the SARs and explain why you have chosen them Write the PP introduction Frank Grefrath September 2007 Slide 16 BSI PP/ST-Guide Explanation Method - Analysing the SPD Analysing the OSPs Analysing the threats Laws, rules, practices or guidelines Question for definition: What happens when I don't have a TOE? What are the assets to be protected? What are the adverse actions? Who are the threat agents? Assumptions will not be defined Frank Grefrath September 2007 Slide 17 BSI PP/ST-Guide Explanation Method - Deriving the objectives Deriving the security objectives for the TOE and the operational environment Frank Grefrath Purpose: Providing a high-level, natural language solution of the problem Building a bridge between the threats and OSPs on one side, and the SFRs on the other side Three questions: Where will the TOE be placed and can it be physically attacked there? What is the purpose of the TOE? How is the TOE managed? September 2007 Slide 18 BSI PP/ST-Guide Explanation Method - Deriving the SFRs Deriving the SFRs Not yet worked out, but will be added in the next version Considered approach: Short introducing statement to CC Part 2 Different examples for each functional class Possibly more detailed explanations to certain aspects like the definition of access control policies, information flow policies or an I&A policy Frank Grefrath September 2007 Slide 19 BSI PP/ST-Guide Publication The Guide is currently developed by the BSI in a project Upon completion the Guide will be published on the BSI homepage: http://www.bsi.de Frank Grefrath September 2007 Slide 20 Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security Godesberger Allee 185-189 53175 Bonn Frank Grefrath Tel: +49 (0)228-9582-5838 Fax: +49 (0)228-9582-5477 Frank.Grefrath@bsi.bund.de Frank Grefrath September 2007 Slide 21
