210 likes | 432 Views
BSI activities in developing PPs and the BSI-PP/ST-Guide. Frank Grefrath. Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security ICCC September 2007. Agenda. BSI-activities in PP-certification
E N D
BSI activities in developing PPs and the BSI-PP/ST-Guide Frank Grefrath Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security ICCC September 2007
Agenda • BSI-activities in PP-certification • Introduction of the PP “Digitales Wahlstift-System, V. 1.0.1“ • Introduction of the BSI-PP/ST-Guide
Recently certified PPs in BSI-CC-Scheme • BSI-PP-0031-2007: “Protection Profile Digitales Wahlstift-System, V. 1.0.1“ • The PP defines the minimum requirements for IT-security of systems for technical assistance in elections on the basis of a digital election pen • BSI-PP-0034-2007: “Mobile Synchronisation Services Protection Profile, V. 1.1” • The purpose of such a system is to provide secure remote access of mobile users (e.g. using a PDA) to e-mail or PIM (personal information management) services located in a company’s intranet
Recently certified PPs in BSI-scheme • BSI-PP-0035-2007: „Security IC Platform Protection Profile” (Update of BSI-PP-0002-2001) • The defined TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact-based and/or contactless) and volatile and non-volatile memories (hardware) • Different PPs for the German electronic health systems are currently under evaluation
Protection Profile for a digital election systemSystem Overview • A digital election system which is compliant to the PP serves for electronic assistance in complex elections • The voter makes his votes with a digital pen on a special kind of paper • The camera of the pen records his votes and then the data is transferred to a PC • There the data is analysed, the votes are counted automatically and a protection against manipulation of the election result is generated
Protection Profile for a digital election systemMotivation / Benefit • Voting takes place in a familiar way for the voter making crosses with a pen on paper • Vote counting can be carried out much faster and easier • Typical failures in manual counting can be avoided • In cases of doubt the electronic election result can be controlled by manually counting the paper ballots • Complex elections can be conducted without great manpower requirements
Protection Profile for a digital election systemMain IT-Security Features • Recording the votes on the paper ballots with the pen • Transferring the election data to a PC via USB • Storing the data on the PC without being traceable to the voter • Analysing the votes and dividing them into valid, doubtable and invalid votes • Judging of the doubtable votes by the scrutineers • Automatic calculation of the election result • Generation and display of a proof of origin • Logging of security relevant events
Protection Profile for a digital election systemPhysical Boundaries of the TOE • Hardware: Digital election pens and docking stations • Firmware: Firmware of the digital election pen • Recording the marks on the paper • Software: TOE application software for • Controlling the pens • Storing of the election data during the election • Judging and counting the votes • Generating a proof of origin • Logging security relevant events
Protection Profile for a digital election systemTOE Security Environment • The PP contains assumptions covering the following aspects: • Usage assumptions resulting from the German election law • Trustworthy and carefully working administrators and scrutineers • Correctly and securely configured PC platform • The TOE counters the following threats: • Disclosure of election data and protocol data • Disturbance and manipulation of the technical procedures • Unrealised manipulation of the election pen and the election result • Successful tracing between election data and voter
Protection Profile for a digital election systemGeneral Regulations • Validity: Valid until June 30th, 2008 • CC Assurance level: EAL 3 • Combined evaluation: • EAL3-CC-certification by the BSI • Approval by the Physikalisch Technische Bundesanstalt according to the German election law with source code analysis and emission measurement
BSI PP/ST-GuideIntroduction • CC, Version 3.1 • Intended audience for the guide: • PP/ST-readers, with less or without CC-knowledge • PP/ST-writers • Evaluators, certifiers
BSI PP/ST-GuideStructure of the guide • What is the purpose of PPs/STs? Which role does a PP play when purchasing a product? • Reading PPs/STs • Writing of PPs in two different methods • Stove-piping method • Explanation method • Writing of STs
BSI PP/ST-GuideStove-Piping-Method • Procedure: • Determine which SFRs for the TOE and which security objectives for the operational environment are desired • Create a single security objective for the TOE for each SFR • Create an OSP for each security objective for the TOE • Create an assumption for each security objective for the operational environment • Write the remaining chapters (PP introduction and conformance claims)
BSI PP/ST-GuideStove-Piping-Method • Advantages: • Simple and fast method to write a PP • The PP almost automatically meets many of the requirements of the APE-class • Disadvantages: • The question why the TOE implements the description of the PP is not answered • The PP merely states on three different levels (TOE security environment, security objectives, SFRs) “This is what the TOE does.”
BSI PP/ST-GuideExplanation Method - Overview • Focus is lying on deriving the various items in a PP, rather than simply stating them. • Procedure (part 1): • Write the conformance claims • Analyse the OSPs • Analyse the threats • Derive the security objectives for the TOE and the operational environment including the security objectives rationale
BSI PP/ST-GuideExplanation Method - Overview • Procedure (part 2): • Derive the SFRs including the Security Requirements Rationale • Define the SARs and explain why you have chosen them • Write the PP introduction
BSI PP/ST-GuideExplanation Method - Analysing the SPD • Analysing the OSPs • Laws, rules, practices or guidelines • Analysing the threats • Question for definition: What happens when I don't have a TOE? • What are the assets to be protected? • What are the adverse actions? • Who are the threat agents? • Assumptions will not be defined
BSI PP/ST-GuideExplanation Method - Deriving the objectives • Deriving the security objectives for the TOE and the operational environment • Purpose: • Providing a high-level, natural language solution of the problem • Building a bridge between the threats and OSPs on one side, and the SFRs on the other side • Three questions: • Where will the TOE be placed and can it be physically attacked there? • What is the purpose of the TOE? • How is the TOE managed?
BSI PP/ST-GuideExplanation Method - Deriving the SFRs • Deriving the SFRs • Not yet worked out, but will be added in the next version • Considered approach: • Short introducing statement to CC Part 2 • Different examples for each functional class • Possibly more detailed explanations to certain aspects like the definition of access control policies, information flow policies or an I&A policy
BSI PP/ST-GuidePublication • The Guide is currently developed by the BSI in a project • Upon completion the Guide will be published on the BSI homepage: http://www.bsi.de
Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security Godesberger Allee 185-18953175 Bonn Frank Grefrath Tel: +49 (0)228-9582-5838 Fax: +49 (0)228-9582-5477 Frank.Grefrath@bsi.bund.de