Carolina Lavatelli - Your Creative Solutions

Modular Protection Profiles 

Julie Chuzel and Daniel Torno, ANSSI 

Carolina Lavatelli and Guillaume Dufay, Trusted Labs 

© 2012 Trusted Labs S.A.S.

Agenda 

• Why modules for Protection Profiles? 

• Definition of PP-module and PP-configuration 

• Evaluation 

• Management and certification 

© 2012 Trusted Labs S.A.S. 

2

Objectives 

• Support optional security features of a 

product type 

• Support specification updates 

• Factorize the writing and evaluation of PPs, 

• Limit the impact of modifications 

• Provide longer durability to PPs. 


3

Notions 

• PP-module: 

▪ is a CC formalization of an option for a certain type of 

TOE 

▪ address optional security features of a given type of 

TOE that cannot be required uniformly for all products 

of this kind 

▪ must be used with one or several base PPs 

• PP-configuration: 

▪ Merge of one or more Protection Profiles with one or 

several PP-modules 

▪ Used as a regular Protection Profile 


4

Methodology 

Addenda to CC v3.1 publications: 

• Expected content of modules and configurations, 

presented as a complement to CC Part 1; 

• Evaluation criteria applicable to PPconfigurations, 

through a new assurance class 

ACE (Assurance Configuration Evaluation), 

defined according to the CC Part 3 and CEM; 

• Evaluation of security targets conformant to a 

PP-configuration. 


5

Comparison with PP Packages 

PP-modules comparable to CC functional 

packages but: 

• Packages limited to a set of SFR (or SAR) 

• No criteria for the evaluation of packages 

• Need to reassess all PP for new packages 

• Combinatory evaluation issues for a PP with 

several packages 


6

Mandatory Content of a PP-Module 

PP-module 

PP-module introduction 

PP identification 

Base PPs 

TOE overview 

Consistency rationale 

Consistency rationale with base PPs 

Conformance claims 

CC Conformance claims 

Conformance rationale 

Conformance statement 

Security problem 

definition 

Threats 

Organisational security policies 

Assumptions 

Security objectives 

Security objectives for the TOE 

Security objectives for the operational environment 

Security objectives rationale 

Extended components 

definition 

Extended components definition 

Security requirements 

Security functional requirements 

Security assurance requirements 

Security requirements rationale 


7

PP-module Introduction 

Content: 

• Unambiguous reference 

• Identification of the base Protection Profile(s) 

the module relies on: 

▪ Set of base-PPs: PP 1 AND… AND PP n , with n≥1 

▪ Alternate sets: S 1 OR … OR S k , with k≥1 

• TOE overview: Introduce additional usage and 

major security features to those stated in the 

base PPs 


8

Consistency Rationale 

Objectives: 

• Demonstrate consistency of the TOE types from 

the base PPs and from the PP-module 

• Demonstrate that the unions of: 

▪ SPD, 

▪ objectives 

▪ and the security functional requirements 

from the base PPs and from the PP-module do 

not lead to a contradiction 

• As many consistency rationale as base-PPs. 


9

Content (SPD, Objectives, SFR) 

• Each element of the PP-module may either come 

from a base PP or be entirely new. 

• Let E be an element of a PP-module, one of the 

following cases holds: 

▪ E belongs to an identified base PP; the PP-module may 

only contain a reference to the element in the base PP, 

▪ E results from the interpretation or refinement of an 

element of the same kind in base PP, 

▪ E is a new element introduced by the PP-module, related 

to additional features of the TOE or its environment. 

• PP-module would not contain portions of base PPs 

unless they are required to fulfill new needs 


10

Mandatory Content of a PP-Configuration 

• Reference that identifies the PP-configuration, 

• Components statement that identifies the base 

PPs and the PP-modules composing the 

configuration, 

• Conformance statement, that specifies whether 

the conformance to this PP-configuration has to 

be strict or demonstrable, 

• SAR statement, specifying the EAL or SAR 

package applicable to the PP-configuration. 


11

Interpretation of PP-configuration as a standard 

PP 

• Union of the sets of elements (SPD, 

Objectives, SFR) of base PPs and PPmodules, 

except those refined in the base 

PPs. 

• Consistency analysis performed on PPconfiguration 

during evaluation shall ensure this 

set is valid 


12

Examples of use cases 

• PP (U)SIM 

▪ 

▪ 

SCWS module 

GlobalPlatform amendments modules 

▪ Contactless services, 

▪ RAM over HTTP, 

▪ Security upgrade 

• PP SSCD: currently 6 PPs 

• Java Card: RMI module 

• Security IC (PP0035) augmentations: 

▪ 

▪ 

▪ 

▪ 

Support for cipher schemes 

Additional functions/sensors detectors 

TSF self-tests 

Area-based memory access control 


13

Class ACE: Protection Profile 

Configuration evaluation

New ACE Assurance Class, Derived From 

APE 

ACE_INT: PP-module introduction 1 

ACE_CCL: PP-module conformance claims 1 

ACE_SPD: PP-module security problem definition 1 

ACE_OBJ: PP-module objectives 1 

ACE_SFR: PP-module security functional requirements 1 

ACE_MCO: PP-module consistency 1 

ACE_CCO: PP-configuration consistency 1 


15

New Class Components 

• ACE_MCO, PP-module consistency: 

▪ Similar to APE_CCL, Evaluator confirms consistency of 

SPD, Objectives and SFR 

▪ based on PP-module consistency rationales 

• ACE_CCO, PP-configuration consistency: 

▪ No consistency rationale in a PP-configuration 

▪ Evaluator tasks 

• Other class components: 

▪ Similar to APE 

• Class ASE: Unchanged 

▪ PP-configuration interpreted as a PP 


16

Evaluation of a PP-Configuration with 

several PP-Modules 

Process: 

• Flatten all the components of the PP- 

Configuration and evaluate as a standard PP 

OR: 

• Evaluate base-PPs, if not already done 

• Evaluate intermediate PP-Configurations 

▪ in a incremental way, 

▪ adding one PP-module to base-PPs at a time 


17

Evaluation of a PP-Configuration with 

several PP-Modules: Intermediate PP- 

Configurations 

Evaluate 

PPs P i 

PPs P i Evaluation 

results 

Evaluated 

PPs P i 

PPs 

registry 

Evaluate 

PP-Conf. 

C1 

PP-Conf. C1 

Evaluation results 

Evaluated 

PP-Conf. C1 

PPs 

registry 

Evaluate 

PP-Conf. 

C2 

PP-Conf. C2 

Evaluation results 

Evaluated 

PP-Conf. C2 

PPs 

registry 


18

MANAGEMENT OF PP-MODULES AND 

CERTIFICATION OF PP- 

CONFIGURATIONS

Management of PP-modules 

• Publication request of a PP-module 

• Request process 

• PP-module publication 

• PP-module recall request 


20

PP-configuration certification 

• PP-configuration certification request 

• Request process 

• PP-configuration evaluation 

• Evaluation report validation 

• Certification 

• PP-configuration and certification report 

publication 


21

Use and update of PP and modules catalogs 

Base PPs are 

selected 

PP-modules 

are selected 

New PP-module 

publication (outside 

any PPconfiguration) 

C 

DB-PP: Certified PPs 

catalogue (ex : 

PP0035…) 

PP-configuration 

evaluation : 

Base PPs + PPmodules 

DB PPM: Catalogue of 

PP-modules that do not 

belong to any PPconfiguration 

C 

PASS 

DB-PPC: Catalogue of 

PP-configurations 

certified by base PP 

DB PPMC: Catalogue of 

PP-modules that belong at 

least to one certified PPconfiguration 

The selected PP-configuration is 

added to the PP-configuration 

catalog and the list of the PPconfiguration 

of the concerned 

base PPs is updated 

The PP-modules of the PPconfiguration 

are added to the 

catalogue of the PP-modules that at 

least belong to one certified PPconfiguration 


22

Next steps 

• Methodology finished in April 2012 

• To be used and tested in a trial 

▪ PP (U)SIM 

• To be presented to ISCI 


23

Thank you ! 

Guillaume Dufay 

guillaume.dufay@trusted-labs.com 

© 2012 Trusted Labs S.A.S.

Carolina Lavatelli - Your Creative Solutions

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?