1 / 21

BSI activities in developing PPs and the BSI-PP/ST-Guide

BSI activities in developing PPs and the BSI-PP/ST-Guide. Frank Grefrath. Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security ICCC September 2007. Agenda. BSI-activities in PP-certification

molimo
Download Presentation

BSI activities in developing PPs and the BSI-PP/ST-Guide

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. BSI activities in developing PPs and the BSI-PP/ST-Guide Frank Grefrath Bundesamt für Sicherheit in der Informationstechnik / Federal Office for Information Security ICCC September 2007

  2. Agenda • BSI-activities in PP-certification • Introduction of the PP “Digitales Wahlstift-System, V. 1.0.1“ • Introduction of the BSI-PP/ST-Guide

  3. Recently certified PPs in BSI-CC-Scheme • BSI-PP-0031-2007: “Protection Profile Digitales Wahlstift-System, V. 1.0.1“ • The PP defines the minimum requirements for IT-security of systems for technical assistance in elections on the basis of a digital election pen • BSI-PP-0034-2007: “Mobile Synchronisation Services Protection Profile, V. 1.1” • The purpose of such a system is to provide secure remote access of mobile users (e.g. using a PDA) to e-mail or PIM (personal information management) services located in a company’s intranet

  4. Recently certified PPs in BSI-scheme • BSI-PP-0035-2007: „Security IC Platform Protection Profile” (Update of BSI-PP-0002-2001) • The defined TOE is a smartcard integrated circuit which is composed of a processing unit, security components, I/O ports (contact-based and/or contactless) and volatile and non-volatile memories (hardware) • Different PPs for the German electronic health systems are currently under evaluation

  5. Protection Profile for a digital election systemSystem Overview • A digital election system which is compliant to the PP serves for electronic assistance in complex elections • The voter makes his votes with a digital pen on a special kind of paper • The camera of the pen records his votes and then the data is transferred to a PC • There the data is analysed, the votes are counted automatically and a protection against manipulation of the election result is generated

  6. Protection Profile for a digital election systemMotivation / Benefit • Voting takes place in a familiar way for the voter making crosses with a pen on paper • Vote counting can be carried out much faster and easier • Typical failures in manual counting can be avoided • In cases of doubt the electronic election result can be controlled by manually counting the paper ballots • Complex elections can be conducted without great manpower requirements

  7. Protection Profile for a digital election systemMain IT-Security Features • Recording the votes on the paper ballots with the pen • Transferring the election data to a PC via USB • Storing the data on the PC without being traceable to the voter • Analysing the votes and dividing them into valid, doubtable and invalid votes • Judging of the doubtable votes by the scrutineers • Automatic calculation of the election result • Generation and display of a proof of origin • Logging of security relevant events

  8. Protection Profile for a digital election systemPhysical Boundaries of the TOE • Hardware: Digital election pens and docking stations • Firmware: Firmware of the digital election pen • Recording the marks on the paper • Software: TOE application software for • Controlling the pens • Storing of the election data during the election • Judging and counting the votes • Generating a proof of origin • Logging security relevant events

  9. Protection Profile for a digital election systemTOE Security Environment • The PP contains assumptions covering the following aspects: • Usage assumptions resulting from the German election law • Trustworthy and carefully working administrators and scrutineers • Correctly and securely configured PC platform • The TOE counters the following threats: • Disclosure of election data and protocol data • Disturbance and manipulation of the technical procedures • Unrealised manipulation of the election pen and the election result • Successful tracing between election data and voter

  10. Protection Profile for a digital election systemGeneral Regulations • Validity: Valid until June 30th, 2008 • CC Assurance level: EAL 3 • Combined evaluation: • EAL3-CC-certification by the BSI • Approval by the Physikalisch Technische Bundesanstalt according to the German election law with source code analysis and emission measurement

  11. BSI PP/ST-GuideIntroduction • CC, Version 3.1 • Intended audience for the guide: • PP/ST-readers, with less or without CC-knowledge • PP/ST-writers • Evaluators, certifiers

  12. BSI PP/ST-GuideStructure of the guide • What is the purpose of PPs/STs? Which role does a PP play when purchasing a product? • Reading PPs/STs • Writing of PPs in two different methods • Stove-piping method • Explanation method • Writing of STs

  13. BSI PP/ST-GuideStove-Piping-Method • Procedure: • Determine which SFRs for the TOE and which security objectives for the operational environment are desired • Create a single security objective for the TOE for each SFR • Create an OSP for each security objective for the TOE • Create an assumption for each security objective for the operational environment • Write the remaining chapters (PP introduction and conformance claims)

  14. BSI PP/ST-GuideStove-Piping-Method • Advantages: • Simple and fast method to write a PP • The PP almost automatically meets many of the requirements of the APE-class • Disadvantages: • The question why the TOE implements the description of the PP is not answered • The PP merely states on three different levels (TOE security environment, security objectives, SFRs) “This is what the TOE does.”

  15. BSI PP/ST-GuideExplanation Method - Overview • Focus is lying on deriving the various items in a PP, rather than simply stating them. • Procedure (part 1): • Write the conformance claims • Analyse the OSPs • Analyse the threats • Derive the security objectives for the TOE and the operational environment including the security objectives rationale

  16. BSI PP/ST-GuideExplanation Method - Overview • Procedure (part 2): • Derive the SFRs including the Security Requirements Rationale • Define the SARs and explain why you have chosen them • Write the PP introduction

  17. BSI PP/ST-GuideExplanation Method - Analysing the SPD • Analysing the OSPs • Laws, rules, practices or guidelines • Analysing the threats • Question for definition: What happens when I don't have a TOE? • What are the assets to be protected? • What are the adverse actions? • Who are the threat agents? • Assumptions will not be defined

  18. BSI PP/ST-GuideExplanation Method - Deriving the objectives • Deriving the security objectives for the TOE and the operational environment • Purpose: • Providing a high-level, natural language solution of the problem • Building a bridge between the threats and OSPs on one side, and the SFRs on the other side • Three questions: • Where will the TOE be placed and can it be physically attacked there? • What is the purpose of the TOE? • How is the TOE managed?

  19. BSI PP/ST-GuideExplanation Method - Deriving the SFRs • Deriving the SFRs • Not yet worked out, but will be added in the next version • Considered approach: • Short introducing statement to CC Part 2 • Different examples for each functional class • Possibly more detailed explanations to certain aspects like the definition of access control policies, information flow policies or an I&A policy

  20. BSI PP/ST-GuidePublication • The Guide is currently developed by the BSI in a project • Upon completion the Guide will be published on the BSI homepage: http://www.bsi.de

  21. Contact Bundesamt für Sicherheit in der Informationstechnik (BSI) / Federal Office for Information Security Godesberger Allee 185-18953175 Bonn Frank Grefrath Tel: +49 (0)228-9582-5838 Fax: +49 (0)228-9582-5477 Frank.Grefrath@bsi.bund.de

More Related