|
Administrator's Guide Netscape Certificate Management System |
|
||
|
|
Appendix A Common Criteria Environment: Security Requirements
The text in this document is copied directly from the ST (Security Target).
Security Requirements for the IT Environment
This chapter specifies the security functional requirements that are applicable to the IT environment.
Table A-1 IT Environment Functional Security Requirements
FAU_GEN.1 Audit data generation (iteration 1)
FAU_GEN.1.1 The IT environment shall be able to generate an audit record of the following auditable events:
- Start-up and shutdown of the audit functions;
- All auditable events for the minimum level of audit; and
- The events listed in Table 2 below.
FAU_GEN.1.2 The IT environment shall record within each audit record at least the following information:
- Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and
- For each audit event type, the information specified in the Additional Details column in Table A-2 below.
Additionally, the audit shall not include plaintext private or secret keys or other critical security parameters.
Table A-2 Auditable Events and Audit Data
FAU_GEN.2 User identity association (iteration 1)
FAU_GEN.2.1 The IT environment shall be able to associate each auditable event with the identity of the user that caused the event.
FAU_SAR.1.1 The IT environment shall provide Auditors with the capability to read all information from the audit records.
FAU_SAR.1.2 The IT environment shall provide the audit records in a manner suitable for the user to interpret the information.
FAU_SAR.3 Selectable audit review
FAU_SAR.3.1 The IT environment shall provide the ability to perform searches of audit data based on the type of event, the user responsible for causing the event, and as specified in Table A-3 below.
Table A-3 Audit Search Criteria
FAU_SEL.1 Selective audit (iteration 1)
FAU_SEL.1.1 The IT environment shall be able to include or exclude auditable events from the set of audited events based on the following attributes:
FAU_STG.1 Protected audit trail storage (iteration 1)
FAU_STG.1.1 The IT environment shall protect the stored audit records from unauthorized deletion.
FAU_STG.1.2 The IT environment shall be able to detect modifications to the audit records.
FAU_STG.4 Prevention of audit data loss (iteration 1)
FAU_STG.4.1 The IT environment shall prevent auditable events, except those taken by the Auditor, if the audit trail is full.
FCS_CKM.1 Cryptographic key generation
FCS_CKM.1.1 The FIPS 140-1 validated cryptographic module shall generate cryptographic keys in accordance with [any FIPS-approved or recommended cryptographic key generation algorithm] that meet the following: [FIPS 140-1].
FCS_CKM.4 Cryptographic key destruction
FCS_CKM.4.1 The IT environment shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [any FIPS-approved or recommended key destruction method] that meets the following: [FIPS 140-1].
FCS_COP.1 Cryptographic operation
FCS_COP.1.1 The FIPS 140-1 validated cryptographic module shall perform [all cryptographic operations] in accordance with [FIPS-approved or recommended algorithms].
FDP_ACC.1 Subset access control (iteration 1)
FDP_ACC.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" on [users, files, and access to files].
FDP_ACF.1 Security attribute based access control (iteration 1)
FDP_ACF.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to objects based on the identity of the subject and the set of roles that the subject is authorized to assume.
FDP_ACF.1.2 The IT environment shall enforce the following rule to determine if an operation among controlled subjects and controlled objects is allowed: The capability to zeroize plaintext private and secret keys shall be restricted to Administrators, Auditors, Officers, and Operators.
FDP_ACF.1.3 The IT environment shall explicitly authorize access of subjects to objects based on the following additional rules: [none].
FDP_ACF.1.4 The IT environment shall explicitly deny access of subjects to objects based on the [none].
FDP_ITT.1 Basic internal transfer protection (iteration 1)
FDP_ITT.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to prevent the modification of security-relevant user data when it is transmitted between physically-separated parts of the IT environment.
FDP_ITT.1 Basic internal transfer protection (iteration 2)
FDP_ITT.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to prevent the disclosure of confidential user data when it is transmitted between physically-separated parts of the IT environment.
FDP_UCT.1 Basic data exchange confidentiality (iteration 1)
FDP_UCT.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to be able to transmit objects in a manner protected from unauthorized disclosure.
Identification and authentication (FIA)
FIA_AFL.1 Authentication failure handling
FIA_AFL.1.1 If authentication is not performed in a cryptographic module that has been FIPS 140-1 validated to an overall Level of 2 or higher with Level 3 or higher for Roles and Services, the IT environment shall detect when an Administrator configurable maximum authentication attempts unsuccessful authentication attempts have occurred since the last successful authentication for the indicated user identity.
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met or surpassed, the IT environment shall [disable the corresponding user account].
FIA_ATD.1 User attribute definition
FIA_ATD.1.1 The IT environment shall maintain the following list of security attributes belonging to individual users: the set of roles that the user is authorized to assume, [and no other security attributes].
FIA_UAU.1 Timing of authentication (iteration 1)
FIA_UAU.1.1 The IT environment shall allow [HTTP and LDAP based services1] on behalf of the user to be performed before the user is authenticated.
FIA_UAU.1.2 The IT environment shall require each user to be successfully authenticated before allowing any other IT environment-mediated actions on behalf of that user.
FIA_UID.1 Timing of identification (iteration 1)
FIA_UID.1.1 The IT environment shall allow [HTTP and LDAP based services] on behalf of the user to be performed before the user is identified.
FIA_UID.1.2 The IT environment shall require each user to be successfully identified before allowing any other IT environment-mediated actions on behalf of that user.
FIA_USB.1 User-subject binding (iteration 1)
FIA_USB.1.1 The IT environment shall associate the appropriate user security attributes with subjects acting on behalf of that user.
FMT_MOF.1 Management of security functions behavior (iteration 1)
FMT_MOF.1.1 The IT environment shall restrict the ability to modify the behavior of the functions listed in Table 4 to the authorized roles as specified in Table A-4.
Table A-4 Authorized Roles for Management of Security Functions Behavior
FMT_MSA.1 Management of security attributes
FMT_MSA.1.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to restrict the ability to modify the security attributes [user definitions and role assignments] to Administrators.
FMT_MSA.2 Secure security attributes
FMT_MSA.2.1 The IT environment shall ensure that only secure values are accepted for security attributes.
FMT_MSA.3 Static attribute initialization
FMT_MSA.3.1 The IT environment shall enforce the CIMC IT Environment Access Control Policy specified in "CIMC TOE Access Control Policy" to provide [restrictive] default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.2 The IT environment shall allow the Administrator to specify alternative initial values to override the default values when an object or information is created.
FMT_MTD.1 Management of TSF data
FMT_MTD.1.1 The IT environment shall restrict the ability to view (read) or delete the audit logs to Auditors.
FMT_SMR.2 Restrictions on security roles
FMT_SMR.2.1 The IT environment shall maintain the roles: Administrator, Auditor, and Officer.
FMT_SMR.2.2 The IT environment shall be able to associate users with roles.
FMT_SMR.2.3 The IT environment shall ensure that:
- no identity is authorized to assume both an Administrator and an Officer role;
- no identity is authorized to assume both an Auditor and an Officer role; and
- no identity is authorized to assume both an Administrator and an Auditor role.
FPT_AMT.1 Abstract machine testing
FPT_AMT.1.1 The IT environment shall run a suite of tests [other conditions: during initial start-up, periodically during normal operation, or at the request of an authorized user] to demonstrate the correct operation of the security assumptions provided by the abstract machine that underlies the IT environment.
FPT_ITC.1 Inter-TSF confidentiality during transmission (iteration 1)
FPT_ITC.1.1 The IT environment shall protect confidential IT environment data transmitted from the
IT environment to a remote trusted IT product from unauthorized disclosure during transmission.
FPT_ITT.1 Basic internal TSF data transfer protection (iteration 1)
FPT_ITT.1.1 The IT environment shall protect security-relevant IT environment data from modification when it is transmitted between separate parts of the IT environment.
FPT_ITT.1 Basic internal TSF data transfer protection (iteration 2)
FPT_ITT.1.1 The IT environment shall protect confidential IT environment data from disclosure when it is transmitted between separate parts of the IT environment.
FPT_RVM.1 Non-bypassability of the TSP (iteration 1)
FPT_RVM.1.1 Each operating system in the IT environment shall ensure that its policy enforcement functions are invoked and succeed before each function within its scope of control is allowed to proceed.
FPT_SEP.1 TSF domain separation
FPT_SEP.1.1 Each operating system in the IT environment shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects.
FPT_SEP.1.2 Each operating system in the IT environment shall enforce separation between the security domains of subjects in its scope of control.
FPT_STM.1 Reliable time stamps (iteration 1)
FPT_STM.1.1 The IT environment shall be able to provide reliable time stamps for its own use.
FPT_TST_CIMC.2 Software/firmware integrity test
FPT_TST_CIMC.2.1 An error detection code (EDC) or FIPS-approved or recommended authentication technique (e.g., the computation and verification of an authentication code, keyed hash, or digital signature algorithm) shall be applied to all security-relevant software and firmware residing within the CIMC (e.g., within EEPROM and RAM). The EDC shall be at least 16 bits in length.
FPT_TST_CIMC.2.2 The error detection code, authentication code, keyed hash, or digital signature shall be verified at power-up and on-demand. If verification fails, the IT environment shall [not enable the TOE].
Rationale: This component is necessary to specify a unique requirement for certificate issuing and management components that is not addressed by the CC. It satisfies the security objective O.Integrity protection of user data and software and O.Periodically check integrity.
FPT_TST_CIMC.3 Software/firmware load test
FPT_TST_CIMC.3.1 A cryptographic mechanism using a FIPS-approved or recommended authentication technique (e.g., an authentication code, keyed hash, or digital signature algorithm) shall be applied to all security-relevant software and firmware that can be externally loaded into the CIMC.
FPT_TST_CIMC.3.2 The IT environment shall verify the authentication code, keyed hash, or digital signature whenever the software or firmware is externally loaded into the CIMC. If verification fails, the IT environment shall [not enable the TOE].
Rationale: This component is necessary to specify a unique requirement for certificate issuing and management components that is not addressed by the CC. It satisfies the security objective O.Integrity protection of user data and software and O.Periodically check integrity.
FTP_TRP.1.1 The IT environment shall provide a communication path between itself and [local] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification or disclosure.
FTP_TRP.1.2 The IT environment shall permit [local users] to initiate communication via the trusted path.
FTP_TRP.1.3 The IT environment shall require the use of the trusted path for initial user authentication, [and no other services].
CIMC TOE Access Control Policy
The TOE shall support the administration and enforcement of a CIMC TOE access control policy that provides the capabilities described below.
Subjects (human users) will be granted access to objects (data/files) based upon the:
- Identity of the subject requesting access,
- Role (or roles) the subject is authorized to assume,
- Type of access requested,
- Content of the access request, and,
- Possession of a secret or private key, if required.
Subject identification includes:
- Individuals with different access authorizations
- Roles with different access authorizations
- Individuals assigned to one or more roles with different access authorizations
Access type, with explicit allow or deny:
For each object, an explicit owning subject and role will be identified. Also, the assignment and management of authorizations will be the responsibility of the owner of an object or a role(s), as specified in this PP.
© 2001 Sun Microsystems, Inc. Portions copyright 1999, 2002-2004 Netscape Communications Corporation. All rights reserved.
Last Updated November 23, 2004