Carolina Lavatelli - Your Creative Solutions
Carolina Lavatelli - Your Creative Solutions
Carolina Lavatelli - Your Creative Solutions
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Modular Protection Profiles<br />
Julie Chuzel and Daniel Torno, ANSSI<br />
<strong>Carolina</strong> <strong>Lavatelli</strong> and Guillaume Dufay, Trusted Labs<br />
© 2012 Trusted Labs S.A.S.
Agenda<br />
• Why modules for Protection Profiles?<br />
• Definition of PP-module and PP-configuration<br />
• Evaluation<br />
• Management and certification<br />
© 2012 Trusted Labs S.A.S.<br />
2
Objectives<br />
• Support optional security features of a<br />
product type<br />
• Support specification updates<br />
• Factorize the writing and evaluation of PPs,<br />
• Limit the impact of modifications<br />
• Provide longer durability to PPs.<br />
© 2012 Trusted Labs S.A.S.<br />
3
Notions<br />
• PP-module:<br />
▪ is a CC formalization of an option for a certain type of<br />
TOE<br />
▪ address optional security features of a given type of<br />
TOE that cannot be required uniformly for all products<br />
of this kind<br />
▪ must be used with one or several base PPs<br />
• PP-configuration:<br />
▪ Merge of one or more Protection Profiles with one or<br />
several PP-modules<br />
▪ Used as a regular Protection Profile<br />
© 2012 Trusted Labs S.A.S.<br />
4
Methodology<br />
Addenda to CC v3.1 publications:<br />
• Expected content of modules and configurations,<br />
presented as a complement to CC Part 1;<br />
• Evaluation criteria applicable to PPconfigurations,<br />
through a new assurance class<br />
ACE (Assurance Configuration Evaluation),<br />
defined according to the CC Part 3 and CEM;<br />
• Evaluation of security targets conformant to a<br />
PP-configuration.<br />
© 2012 Trusted Labs S.A.S.<br />
5
Comparison with PP Packages<br />
PP-modules comparable to CC functional<br />
packages but:<br />
• Packages limited to a set of SFR (or SAR)<br />
• No criteria for the evaluation of packages<br />
• Need to reassess all PP for new packages<br />
• Combinatory evaluation issues for a PP with<br />
several packages<br />
© 2012 Trusted Labs S.A.S.<br />
6
Mandatory Content of a PP-Module<br />
PP-module<br />
PP-module introduction<br />
PP identification<br />
Base PPs<br />
TOE overview<br />
Consistency rationale<br />
Consistency rationale with base PPs<br />
Conformance claims<br />
CC Conformance claims<br />
Conformance rationale<br />
Conformance statement<br />
Security problem<br />
definition<br />
Threats<br />
Organisational security policies<br />
Assumptions<br />
Security objectives<br />
Security objectives for the TOE<br />
Security objectives for the operational environment<br />
Security objectives rationale<br />
Extended components<br />
definition<br />
Extended components definition<br />
Security requirements<br />
Security functional requirements<br />
Security assurance requirements<br />
Security requirements rationale<br />
© 2012 Trusted Labs S.A.S.<br />
7
PP-module Introduction<br />
Content:<br />
• Unambiguous reference<br />
• Identification of the base Protection Profile(s)<br />
the module relies on:<br />
▪ Set of base-PPs: PP 1 AND… AND PP n , with n≥1<br />
▪ Alternate sets: S 1 OR … OR S k , with k≥1<br />
• TOE overview: Introduce additional usage and<br />
major security features to those stated in the<br />
base PPs<br />
© 2012 Trusted Labs S.A.S.<br />
8
Consistency Rationale<br />
Objectives:<br />
• Demonstrate consistency of the TOE types from<br />
the base PPs and from the PP-module<br />
• Demonstrate that the unions of:<br />
▪ SPD,<br />
▪ objectives<br />
▪ and the security functional requirements<br />
from the base PPs and from the PP-module do<br />
not lead to a contradiction<br />
• As many consistency rationale as base-PPs.<br />
© 2012 Trusted Labs S.A.S.<br />
9
Content (SPD, Objectives, SFR)<br />
• Each element of the PP-module may either come<br />
from a base PP or be entirely new.<br />
• Let E be an element of a PP-module, one of the<br />
following cases holds:<br />
▪ E belongs to an identified base PP; the PP-module may<br />
only contain a reference to the element in the base PP,<br />
▪ E results from the interpretation or refinement of an<br />
element of the same kind in base PP,<br />
▪ E is a new element introduced by the PP-module, related<br />
to additional features of the TOE or its environment.<br />
• PP-module would not contain portions of base PPs<br />
unless they are required to fulfill new needs<br />
© 2012 Trusted Labs S.A.S.<br />
10
Mandatory Content of a PP-Configuration<br />
• Reference that identifies the PP-configuration,<br />
• Components statement that identifies the base<br />
PPs and the PP-modules composing the<br />
configuration,<br />
• Conformance statement, that specifies whether<br />
the conformance to this PP-configuration has to<br />
be strict or demonstrable,<br />
• SAR statement, specifying the EAL or SAR<br />
package applicable to the PP-configuration.<br />
© 2012 Trusted Labs S.A.S.<br />
11
Interpretation of PP-configuration as a standard<br />
PP<br />
• Union of the sets of elements (SPD,<br />
Objectives, SFR) of base PPs and PPmodules,<br />
except those refined in the base<br />
PPs.<br />
• Consistency analysis performed on PPconfiguration<br />
during evaluation shall ensure this<br />
set is valid<br />
© 2012 Trusted Labs S.A.S.<br />
12
Examples of use cases<br />
• PP (U)SIM<br />
▪<br />
▪<br />
SCWS module<br />
GlobalPlatform amendments modules<br />
▪ Contactless services,<br />
▪ RAM over HTTP,<br />
▪ Security upgrade<br />
• PP SSCD: currently 6 PPs<br />
• Java Card: RMI module<br />
• Security IC (PP0035) augmentations:<br />
▪<br />
▪<br />
▪<br />
▪<br />
Support for cipher schemes<br />
Additional functions/sensors detectors<br />
TSF self-tests<br />
Area-based memory access control<br />
© 2012 Trusted Labs S.A.S.<br />
13
Class ACE: Protection Profile<br />
Configuration evaluation
New ACE Assurance Class, Derived From<br />
APE<br />
ACE_INT: PP-module introduction 1<br />
ACE_CCL: PP-module conformance claims 1<br />
ACE_SPD: PP-module security problem definition 1<br />
ACE_OBJ: PP-module objectives 1<br />
ACE_SFR: PP-module security functional requirements 1<br />
ACE_MCO: PP-module consistency 1<br />
ACE_CCO: PP-configuration consistency 1<br />
© 2012 Trusted Labs S.A.S.<br />
15
New Class Components<br />
• ACE_MCO, PP-module consistency:<br />
▪ Similar to APE_CCL, Evaluator confirms consistency of<br />
SPD, Objectives and SFR<br />
▪ based on PP-module consistency rationales<br />
• ACE_CCO, PP-configuration consistency:<br />
▪ No consistency rationale in a PP-configuration<br />
▪ Evaluator tasks<br />
• Other class components:<br />
▪ Similar to APE<br />
• Class ASE: Unchanged<br />
▪ PP-configuration interpreted as a PP<br />
© 2012 Trusted Labs S.A.S.<br />
16
Evaluation of a PP-Configuration with<br />
several PP-Modules<br />
Process:<br />
• Flatten all the components of the PP-<br />
Configuration and evaluate as a standard PP<br />
OR:<br />
• Evaluate base-PPs, if not already done<br />
• Evaluate intermediate PP-Configurations<br />
▪ in a incremental way,<br />
▪ adding one PP-module to base-PPs at a time<br />
© 2012 Trusted Labs S.A.S.<br />
17
Evaluation of a PP-Configuration with<br />
several PP-Modules: Intermediate PP-<br />
Configurations<br />
Evaluate<br />
PPs P i<br />
PPs P i Evaluation<br />
results<br />
Evaluated<br />
PPs P i<br />
PPs<br />
registry<br />
Evaluate<br />
PP-Conf.<br />
C1<br />
PP-Conf. C1<br />
Evaluation results<br />
Evaluated<br />
PP-Conf. C1<br />
PPs<br />
registry<br />
Evaluate<br />
PP-Conf.<br />
C2<br />
PP-Conf. C2<br />
Evaluation results<br />
Evaluated<br />
PP-Conf. C2<br />
PPs<br />
registry<br />
© 2012 Trusted Labs S.A.S.<br />
18
MANAGEMENT OF PP-MODULES AND<br />
CERTIFICATION OF PP-<br />
CONFIGURATIONS
Management of PP-modules<br />
• Publication request of a PP-module<br />
• Request process<br />
• PP-module publication<br />
• PP-module recall request<br />
© 2012 Trusted Labs S.A.S.<br />
20
PP-configuration certification<br />
• PP-configuration certification request<br />
• Request process<br />
• PP-configuration evaluation<br />
• Evaluation report validation<br />
• Certification<br />
• PP-configuration and certification report<br />
publication<br />
© 2012 Trusted Labs S.A.S.<br />
21
Use and update of PP and modules catalogs<br />
Base PPs are<br />
selected<br />
PP-modules<br />
are selected<br />
New PP-module<br />
publication (outside<br />
any PPconfiguration)<br />
C<br />
DB-PP: Certified PPs<br />
catalogue (ex :<br />
PP0035…)<br />
PP-configuration<br />
evaluation :<br />
Base PPs + PPmodules<br />
DB PPM: Catalogue of<br />
PP-modules that do not<br />
belong to any PPconfiguration<br />
C<br />
PASS<br />
DB-PPC: Catalogue of<br />
PP-configurations<br />
certified by base PP<br />
DB PPMC: Catalogue of<br />
PP-modules that belong at<br />
least to one certified PPconfiguration<br />
The selected PP-configuration is<br />
added to the PP-configuration<br />
catalog and the list of the PPconfiguration<br />
of the concerned<br />
base PPs is updated<br />
The PP-modules of the PPconfiguration<br />
are added to the<br />
catalogue of the PP-modules that at<br />
least belong to one certified PPconfiguration<br />
© 2012 Trusted Labs S.A.S.<br />
22
Next steps<br />
• Methodology finished in April 2012<br />
• To be used and tested in a trial<br />
▪ PP (U)SIM<br />
• To be presented to ISCI<br />
© 2012 Trusted Labs S.A.S.<br />
23
Thank you !<br />
Guillaume Dufay<br />
guillaume.dufay@trusted-labs.com<br />
© 2012 Trusted Labs S.A.S.